View Full Version : Virus Trouble
ludi4burnley
2007-03-30, 20:46
I am a noob here and i really don't know much about viruses but i know i have vundo. i have intalled hijackthis and here is the log file:
Logfile of HijackThis v1.99.1
Scan saved at 18:38:51, on 30/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-03-30, 22:22
i used symantec's fixvundo tool and rescanned hijack this and here is the log file:
Logfile of HijackThis v1.99.1
Scan saved at 20:19:47, on 30/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi ludi4burnley
Rename HijackThis.exe to HJT.exe and post back a fresh HijackThis log, please :)
ludi4burnley
2007-03-31, 13:15
thanks for the quick response. to rename it do you just right click the application on the desktop and click rename. i have done this and here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 11:15:08, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {15359D82-A195-472E-A16C-B1FF4B6F3245} - C:\WINDOWS\system32\khvntdku.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {27E1B2FD-3C56-4568-AC72-3163D52474F0} - C:\WINDOWS\system32\wvwxw.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xneufrpi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\nnnopnk.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808AD739-797B-4194-B8B4-463757B64E38} - C:\WINDOWS\system32\opnli.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CD527717-979B-4CD4-967B-1F04BCE9F2FC} - C:\WINDOWS\system32\jkkli.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: nnnopnk - C:\WINDOWS\SYSTEM32\nnnopnk.dll
O20 - Winlogon Notify: wvwxw - C:\WINDOWS\system32\wvwxw.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Yes, you did it right :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
ludi4burnley
2007-03-31, 18:47
here is vundo fix:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:04:44 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:09:40 26/03/2007
Listing files found while scanning....
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:00 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:43 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:58:57 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:23:51 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
ludi4burnley
2007-03-31, 18:48
and here is hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16:47:51, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {15359D82-A195-472E-A16C-B1FF4B6F3245} - C:\WINDOWS\system32\khvntdku.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xneufrpi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\pmnkhif.dll
O2 - BHO: (no name) - {7D20B575-0206-4294-B5BD-87C36717F3D9} - C:\WINDOWS\system32\wvwxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808AD739-797B-4194-B8B4-463757B64E38} - C:\WINDOWS\system32\opnli.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CD527717-979B-4CD4-967B-1F04BCE9F2FC} - C:\WINDOWS\system32\jkkli.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnkhif - C:\WINDOWS\SYSTEM32\pmnkhif.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Are you sure that HijackThis log is taken after Vundofix run?
ludi4burnley
2007-03-31, 19:25
ye i'm sure, it found 47 files on vundofix and it didn't ask me to rescan on vudnofix after it restarted so shall i scan again and do another hjt logfile?
Hi
Yes, please do that :)
ludi4burnley
2007-03-31, 19:47
ok here is new vundofix file:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:04:44 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:09:40 26/03/2007
Listing files found while scanning....
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:00 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:43 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:58:57 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:23:51 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:30:50 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\pmnkhif.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\cdccf.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\fccdc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Performing Repairs to the registry.
Done!
ludi4burnley
2007-03-31, 19:48
and here is new hjt logfile:
Logfile of HijackThis v1.99.1
Scan saved at 17:44:17, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\HJT.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: (no name) - {15359D82-A195-472E-A16C-B1FF4B6F3245} - C:\WINDOWS\system32\khvntdku.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xneufrpi.dll (file missing)
O2 - BHO: (no name) - {5F5947B2-E13F-4EE7-8A27-19C0D74C3C3E} - C:\WINDOWS\system32\fccdc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\cbxxutt.dll
O2 - BHO: (no name) - {7D20B575-0206-4294-B5BD-87C36717F3D9} - C:\WINDOWS\system32\wvwxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808AD739-797B-4194-B8B4-463757B64E38} - C:\WINDOWS\system32\opnli.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CD527717-979B-4CD4-967B-1F04BCE9F2FC} - C:\WINDOWS\system32\jkkli.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbxxutt - C:\WINDOWS\SYSTEM32\cbxxutt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
You will have to run Vundofix at least once, but this time like this:
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\SYSTEM32\cbxxutt.dll
C:\WINDOWS\system32\ttuxxbc.*
Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]
ludi4burnley
2007-03-31, 20:03
hi,i am running the vundofix scan now and the firstle you said is allready in the box, do i still have to add it?
Hi
Then you don't have to, of course :)
ludi4burnley
2007-03-31, 20:16
here is vundofix log:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:04:44 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:09:40 26/03/2007
Listing files found while scanning....
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:00 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:43 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:58:57 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:23:51 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:30:50 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\pmnkhif.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\cdccf.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\fccdc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:52:47 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\oppol.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\cbxxutt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\loppo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oppol.dll
C:\WINDOWS\system32\oppol.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
ludi4burnley
2007-03-31, 20:16
and here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 18:14:47, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\HJT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: (no name) - {15359D82-A195-472E-A16C-B1FF4B6F3245} - C:\WINDOWS\system32\khvntdku.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xneufrpi.dll (file missing)
O2 - BHO: (no name) - {5F5947B2-E13F-4EE7-8A27-19C0D74C3C3E} - C:\WINDOWS\system32\fccdc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\iifgggd.dll
O2 - BHO: (no name) - {7D20B575-0206-4294-B5BD-87C36717F3D9} - C:\WINDOWS\system32\wvwxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808AD739-797B-4194-B8B4-463757B64E38} - C:\WINDOWS\system32\opnli.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CD527717-979B-4CD4-967B-1F04BCE9F2FC} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {EB8FD136-B5FB-4C69-8995-02C5AB196AF3} - C:\WINDOWS\system32\oppol.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: iifgggd - C:\WINDOWS\SYSTEM32\iifgggd.dll
O20 - Winlogon Notify: qomnmkl - C:\WINDOWS\SYSTEM32\qomnmkl.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-03-31, 20:18
i did another vundofix after that logfile and removed the other file the ttubbxc file or something so i removed them both but somehow it hasnt mentioned it
Hi
It looks like you have a mutating vundo :(
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {15359D82-A195-472E-A16C-B1FF4B6F3245} - C:\WINDOWS\system32\khvntdku.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xneufrpi.dll (file missing)
O2 - BHO: (no name) - {5F5947B2-E13F-4EE7-8A27-19C0D74C3C3E} - C:\WINDOWS\system32\fccdc.dll (file missing)
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\iifgggd.dll
O2 - BHO: (no name) - {7D20B575-0206-4294-B5BD-87C36717F3D9} - C:\WINDOWS\system32\wvwxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {808AD739-797B-4194-B8B4-463757B64E38} - C:\WINDOWS\system32\opnli.dll (file missing)
O2 - BHO: (no name) - {CD527717-979B-4CD4-967B-1F04BCE9F2FC} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {EB8FD136-B5FB-4C69-8995-02C5AB196AF3} - C:\WINDOWS\system32\oppol.dll (file missing)
Close all windows including browser and press fix checked.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
and save it to your desktop.
2. Go to start -> run.
type this in box and click ok
"%userprofile%\desktop\combofix.exe" /v iifgggd qomnmkl
3. When finished, it shall produce a log for you. Post that log in your next reply
4. Reboot
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
ludi4burnley
2007-03-31, 20:57
i think this is the logfile here:
"User" - 07-03-31 18:40:35 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\desktop"
Command switches used :: /v iifgggd qomnmkl
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\iifgggd.dll
C:\WINDOWS\system32\qomnmkl.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))
2007-03-31 18:38 48,708 --a------ C:\WINDOWS\system32\anoogjgn.dll
2007-03-31 18:30 758,963 ---hs---- C:\WINDOWS\system32\stwvw.bak2
2007-03-31 18:30 26,694 --a------ C:\WINDOWS\system32\yayaxwu.dll
2007-03-31 18:20 280,676 ---hs---- C:\WINDOWS\system32\wvwts.dll
2007-03-31 18:20 280,676 ---hs---- C:\WINDOWS\system32\jkkhe.dll
2007-03-31 10:58 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-30 16:51 <DIR> d-------- C:\WINDOWS\pss
2007-03-28 20:10 71,620 --a--c--- C:\jjj.exe
2007-03-28 20:10 30,781 -----c--- C:\is67295.exe
2007-03-28 20:09 132,116 --a------ C:\WINDOWS\system32\kxbqjamh.dll
2007-03-26 22:44 247,853 --a------ C:\WINDOWS\system32\yabcb.dll
2007-03-26 21:08 132,116 --a------ C:\WINDOWS\system32\xufiwwxw.dll
2007-03-26 20:48 71,691 --a------ C:\DOCUME~1\User\jjj.exe
2007-03-26 20:25 132,116 --a------ C:\WINDOWS\system32\tqjdjhsj.dll
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
2007-03-03 14:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gridhopetwocoal
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-31 18:50 26694 --a------ C:\WINDOWS\system32\urqroli.dll
2007-03-26 20:47 -------- d-------- C:\Program Files\google
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqroli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvwts
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-31 18:54:21
Hi
Yes, that's the log.
Please post also a fresh HijackThis log :)
ludi4burnley
2007-03-31, 21:05
here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 19:04:25, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\urqroli.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DB36AAB7-92B1-48DF-9C5D-59FB4A0BB84D} - C:\WINDOWS\system32\wvwts.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: urqroli - C:\WINDOWS\SYSTEM32\urqroli.dll
O20 - Winlogon Notify: wvwts - C:\WINDOWS\system32\wvwts.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
No success there. I think we need other tool, but let's try this first:
1. Go to start -> run.
type this in box and click ok
"%userprofile%\desktop\combofix.exe" /v urqroli wvwts
2. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\anoogjgn.dll
C:\WINDOWS\system32\stwvw.bak2
C:\WINDOWS\system32\yayaxwu.dll
C:\WINDOWS\system32\jkkhe.dll
C:\DOCUME~1\User\x.exe
C:\jjj.exe
C:\is67295.exe
C:\WINDOWS\system32\kxbqjamh.dll
C:\WINDOWS\system32\yabcb.dll
C:\WINDOWS\system32\xufiwwxw.dll
C:\DOCUME~1\User\jjj.exe
C:\WINDOWS\system32\tqjdjhsj.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Post:
- a fresh HijackThis log
- combofix report
ludi4burnley
2007-03-31, 21:22
here is logfile:
"User" - 07-03-31 19:11:12 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\desktop"
Command switches used :: /v urqroli wvwts
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\urqroli.dll
C:\WINDOWS\system32\wvwts.dll
C:\WINDOWS\system32\stwvw.bak2
C:\WINDOWS\system32\stwvw.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))
2007-03-31 19:00 26,694 --a------ C:\WINDOWS\system32\iifffff.dll
2007-03-31 18:38 48,708 --a------ C:\WINDOWS\system32\anoogjgn.dll
2007-03-31 18:30 26,694 --a------ C:\WINDOWS\system32\yayaxwu.dll
2007-03-31 18:20 280,676 ---hs---- C:\WINDOWS\system32\jkkhe.dll
2007-03-31 10:58 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-30 16:51 <DIR> d-------- C:\WINDOWS\pss
2007-03-28 20:10 71,620 --a--c--- C:\jjj.exe
2007-03-28 20:10 30,781 -----c--- C:\is67295.exe
2007-03-28 20:09 132,116 --a------ C:\WINDOWS\system32\kxbqjamh.dll
2007-03-26 22:44 247,853 --a------ C:\WINDOWS\system32\yabcb.dll
2007-03-26 21:08 132,116 --a------ C:\WINDOWS\system32\xufiwwxw.dll
2007-03-26 20:48 71,691 --a------ C:\DOCUME~1\User\jjj.exe
2007-03-26 20:25 132,116 --a------ C:\WINDOWS\system32\tqjdjhsj.dll
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
2007-03-03 14:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gridhopetwocoal
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 20:47 -------- d-------- C:\Program Files\google
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgede
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-31 19:18:40
C:\ComboFix2.txt ... 07-03-31 18:54
ludi4burnley
2007-03-31, 21:33
here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 19:30:02, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\mljgede.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mljgede - C:\WINDOWS\SYSTEM32\mljgede.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-03-31, 21:44
here is combofile:
"User" - 07-03-31 19:34:32 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))
2007-03-31 19:37 759,210 ---hs---- C:\WINDOWS\system32\uutwa.bak1
2007-03-31 19:37 48,708 --a------ C:\WINDOWS\system32\uljjrdud.dll
2007-03-31 19:35 280,676 ---hs---- C:\WINDOWS\system32\awtuu.dll
2007-03-31 19:35 280,676 --------- C:\WINDOWS\system32\urstr.dll
2007-03-31 19:27 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-03-31 19:27 26,694 --a------ C:\WINDOWS\system32\ddcbyyy.dll
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-31 19:17 26,694 --a------ C:\WINDOWS\system32\mljgede.dll
2007-03-31 19:00 26,694 --a------ C:\WINDOWS\system32\iifffff.dll
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-30 16:51 <DIR> d-------- C:\WINDOWS\pss
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
2007-03-03 14:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gridhopetwocoal
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 20:47 -------- d-------- C:\Program Files\google
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgede
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-31 19:43:17
C:\ComboFix2.txt ... 07-03-31 19:18
C:\ComboFix3.txt ... 07-03-31 18:54
Hi
Yes, like I guessed we need something different.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Please download Process Explorer by Systernals from here (http://download.sysinternals.com/Files/ProcessExplorer.zip)
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D064D71-DD76-4596-90C0-921766AD560A}]
[-HKEY_CLASSES_ROOT\CLSID\{7D064D71-DD76-4596-90C0-921766AD560A6}]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Open HijackThis in safe mode
Go to 020 lines.
You should see something like this there (random = random letters):
O20 - Winlogon Notify: random - C:\WINDOWS\SYSTEM32\random.dll
Write down that file name (dll)
Note: It's not this -> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll !
Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of random.dll once and then click the kill button.
After you have killed all of the random.dll under winlogon click OK.
Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples
Click on the Threads tab at the top.
Once you have done that click OK again.
Also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well
Examples:
random.bak
random.ini
random.reg
or
modnar.bak
modnar.ini etc.
Next double click on explorer.exe and again click once on each instance of random.dll then click the kill button.
Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples
Click on the Threads tab at the top.
Once you have done that click OK again.
Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Double-click Killbox.exe to run it.
Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
< put random.dlll here, take off < > >
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Post a fresh HijackThis log.
ludi4burnley
2007-04-01, 12:08
there are 3 dll files and for the last bit do i write them in like this?:
<C:\WINDOWS\system32awtuu.dll, C:\WINDOWS\system32\igfxdev.dll>
are they separated with a comma and do i put the < and > round the whole thing? please post an example if i have done this wrong. thanks
ludi4burnley
2007-04-01, 12:10
and also do i click all files or leave it as single file
ludi4burnley
2007-04-01, 12:22
here is the hjt log and it still has the 020 random dlls so have i typed in the files wrong on killbox. here is log anyway:
Logfile of HijackThis v1.99.1
Scan saved at 10:20:26, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {65328EB4-61D2-4009-9E6E-1E056D1358D8} - C:\WINDOWS\system32\awtuu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\mljgede.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtuu - C:\WINDOWS\system32\awtuu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mljgede - C:\WINDOWS\SYSTEM32\mljgede.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Then we do this:
Do as I instructed before but don't do that KillBox thing at all.
Also, do this before going to safe mode:
Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Delete those files manually.
EDIT: This is legal, DON'T delete it!!! -> C:\WINDOWS\SYSTEM32\igfxdev.dll
Post a fresh HijackThis log.
ludi4burnley
2007-04-01, 12:38
it won't let me delete the files it says they are being used by another program but i keep checking back on process explorer and they aren't there
Hi
Are you sure that you are on safe mode?
You will have to look from a fresh HijackThis log new filenames (they have been mutated again).
ludi4burnley
2007-04-01, 12:43
yep sure im in safe mode and i have all folder permissions etc. what about in hjt where it says fix checked, could i check them and do that?
So you are in safe mode with networking, right?
You can fix those lines if you first succeed in file deletion.
ludi4burnley
2007-04-01, 12:45
i've looked back in hjt and they are still there and there are no new names
Hi
Then try OTmoveit:
Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Go to Browse for file and select bad files.
Click the red Moveit! button.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
ludi4burnley
2007-04-01, 12:51
yep im sure, it wont let me delete any of the 2
ludi4burnley
2007-04-01, 12:55
ok i'm doing that OTmoveit thing now
ludi4burnley
2007-04-01, 13:08
ok ive done that and on hjt it says file missing on all of them, it also mutated into a rqrsqoo which i have done the otmoveit thing on and it says file missing on that, and there are no new files in hjt
Hi
Then post a fresh HijackThis log, please :)
ludi4burnley
2007-04-01, 13:14
here is the hjt logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11:13:23, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2915D27E-DEBC-45B7-878B-85C95B867F36} - C:\WINDOWS\system32\awtuu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\rqrsqoo.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtuu - C:\WINDOWS\system32\awtuu.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mljgede - mljgede.dll (file missing)
O20 - Winlogon Notify: rqrsqoo - rqrsqoo.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Yes, it looks very good :)
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {2915D27E-DEBC-45B7-878B-85C95B867F36} - C:\WINDOWS\system32\awtuu.dll (file missing)
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\rqrsqoo.dll (file missing)
O20 - Winlogon Notify: awtuu - C:\WINDOWS\system32\awtuu.dll (file missing)
O20 - Winlogon Notify: mljgede - mljgede.dll (file missing)
O20 - Winlogon Notify: rqrsqoo - rqrsqoo.dll (file missing)
Close all windows including browser and press fix checked.
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot
Post:
- a fresh HijackThis log
- combofix report
ludi4burnley
2007-04-01, 13:21
here is first combo fix report, other reports coming in a minute:
"User" - 07-04-01 11:18:18 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))
2007-04-01 10:19 26,694 --a------ C:\WINDOWS\system32\tuvwtut.dll
2007-04-01 09:48 26,694 --a------ C:\WINDOWS\system32\ssqpnno.dll
2007-04-01 09:25 26,694 --a------ C:\WINDOWS\system32\nnnkkhi.dll
2007-03-31 19:37 759,210 ---hs---- C:\WINDOWS\system32\uutwa.bak1
2007-03-31 19:37 48,708 --a------ C:\WINDOWS\system32\uljjrdud.dll
2007-03-31 19:27 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-03-31 19:27 26,694 --a------ C:\WINDOWS\system32\ddcbyyy.dll
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-31 19:00 26,694 --a------ C:\WINDOWS\system32\iifffff.dll
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-30 16:51 <DIR> d-------- C:\WINDOWS\pss
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
2007-03-03 14:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gridhopetwocoal
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-01 11:20:00
C:\ComboFix2.txt ... 07-03-31 19:43
C:\ComboFix3.txt ... 07-03-31 19:18
ludi4burnley
2007-04-01, 13:24
here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:36, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ssqqolj - C:\WINDOWS\SYSTEM32\ssqqolj.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Looks like a partial success.
First, use otmoveit to this -> C:\WINDOWS\SYSTEM32\ssqqolj.dll
Delete these:
C:\WINDOWS\pss
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gridhopetwocoal
Empty Recycle Bin
Then:
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\tuvwtut.dll
C:\WINDOWS\system32\ssqpnno.dll
C:\WINDOWS\system32\uutwa.bak1
C:\WINDOWS\system32\uljjrdud.dll
C:\DOCUME~1\User\x.exe
C:\WINDOWS\system32\ddcbyyy.dll
C:\WINDOWS\system32\iifffff.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Re-run combofix
Post:
- a fresh HijackThis log
- combofix report
ludi4burnley
2007-04-01, 13:50
hhere is new hjt report and i can see the virus has mutated again and there are 2 more files:
Logfile of HijackThis v1.99.1
Scan saved at 11:47, on 07-04-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\ComboFix.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\User\Desktop\HJT.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\boktxfoo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\ssqqolj.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AEC0A5EB-5BBF-40D2-A76A-4FBE6E449C4E} - C:\WINDOWS\system32\cbaaa.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbaaa - C:\WINDOWS\system32\cbaaa.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ssqqolj - C:\WINDOWS\SYSTEM32\ssqqolj.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-04-01, 13:56
here is combofix report:
"User" - 07-04-01 11:42:54 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))
2007-04-01 11:41 26,694 --a------ C:\WINDOWS\system32\cbxyyvt.dll
2007-04-01 11:34 26,694 --a------ C:\WINDOWS\system32\mljkkih.dll
2007-04-01 11:29 76,412 --a------ C:\WINDOWS\system32\uaaqdvqm.dll
2007-04-01 11:29 758,963 ---hs---- C:\WINDOWS\system32\aaabc.bak1
2007-04-01 11:29 48,708 --a------ C:\WINDOWS\system32\boktxfoo.dll
2007-04-01 11:28 280,676 ---hs---- C:\WINDOWS\system32\cbaaa.dll
2007-04-01 11:23 26,694 --a------ C:\WINDOWS\system32\ssqqolj.dll
2007-04-01 09:48 26,694 --a------ C:\WINDOWS\system32\ssqpnno.dll
2007-04-01 09:25 26,694 --a------ C:\WINDOWS\system32\nnnkkhi.dll
2007-03-31 19:37 759,210 ---hs---- C:\WINDOWS\system32\uutwa.bak1
2007-03-31 19:37 48,708 --a------ C:\WINDOWS\system32\uljjrdud.dll
2007-03-31 19:27 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-03-31 19:27 26,694 --a------ C:\WINDOWS\system32\ddcbyyy.dll
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-31 19:00 26,694 --a------ C:\WINDOWS\system32\iifffff.dll
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbaaa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqolj
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-01 11:54:41
C:\ComboFix2.txt ... 07-04-01 11:20
C:\ComboFix3.txt ... 07-03-31 19:43
Hi
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\cbxyyvt.dll
C:\WINDOWS\system32\mljkkih.dll
C:\WINDOWS\system32\uaaqdvqm.dll
C:\WINDOWS\system32\aaabc.bak1
C:\WINDOWS\system32\boktxfoo.dll
C:\WINDOWS\system32\cbaaa.dll
C:\WINDOWS\system32\ssqqolj.dll
C:\WINDOWS\system32\ssqpnno.dll
C:\WINDOWS\system32\nnnkkhi.dll
C:\WINDOWS\system32\uutwa.bak1
C:\WINDOWS\system32\uljjrdud.dll
C:\DOCUME~1\User\x.exe
C:\WINDOWS\system32\ddcbyyy.dll
C:\WINDOWS\system32\iifffff.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
ludi4burnley
2007-04-01, 14:21
here is avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xvqchoxm
*******************
Script file located at: \??\C:\ugfyuoxa.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\cbxyyvt.dll deleted successfully.
File C:\WINDOWS\system32\mljkkih.dll deleted successfully.
File C:\WINDOWS\system32\uaaqdvqm.dll deleted successfully.
File C:\WINDOWS\system32\aaabc.bak1 deleted successfully.
File C:\WINDOWS\system32\boktxfoo.dll deleted successfully.
File C:\WINDOWS\system32\cbaaa.dll deleted successfully.
File C:\WINDOWS\system32\ssqqolj.dll deleted successfully.
File C:\WINDOWS\system32\ssqpnno.dll deleted successfully.
File C:\WINDOWS\system32\nnnkkhi.dll deleted successfully.
File C:\WINDOWS\system32\uutwa.bak1 deleted successfully.
File C:\WINDOWS\system32\uljjrdud.dll deleted successfully.
File C:\DOCUME~1\User\x.exe deleted successfully.
File C:\WINDOWS\system32\ddcbyyy.dll deleted successfully.
File C:\WINDOWS\system32\iifffff.dll deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
ludi4burnley
2007-04-01, 14:22
here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:22:42, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\boktxfoo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\awttsqo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AEC0A5EB-5BBF-40D2-A76A-4FBE6E449C4E} - C:\WINDOWS\system32\cbaaa.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awttsqo - C:\WINDOWS\SYSTEM32\awttsqo.dll
O20 - Winlogon Notify: cbaaa - C:\WINDOWS\system32\cbaaa.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ssqqolj - ssqqolj.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Seems like it mutated again.
Use process explorer and otmoveit to this -> C:\WINDOWS\system32\awttsqo.dll
After, that re-run combofix
Reboot
Post:
- a fresh HijackThis log
- combofix report
ludi4burnley
2007-04-01, 14:42
here is combofix log:
"User" - 07-04-01 12:31:33 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))
2007-04-01 12:19 71,691 --a------ C:\DOCUME~1\User\x.exe
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttsqo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbaaa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqolj
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-01 12:33:18
C:\ComboFix2.txt ... 07-04-01 11:54
C:\ComboFix3.txt ... 07-04-01 11:20
ludi4burnley
2007-04-01, 14:44
Logfile of HijackThis v1.99.1
Scan saved at 12:43:03, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\awttsqo.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AEC0A5EB-5BBF-40D2-A76A-4FBE6E449C4E} - C:\WINDOWS\system32\cbaaa.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awttsqo - awttsqo.dll (file missing)
O20 - Winlogon Notify: cbaaa - C:\WINDOWS\system32\cbaaa.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ssqqolj - ssqqolj.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-04-01, 14:49
do i do the checking boxes and fix thing like before?
Hi
Upload this file -> C:\DOCUME~1\User\x.exe to VirusTotal (http://www.virustotal.com/en/indexf.html)
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\awttsqo.dll (file missing)
O2 - BHO: (no name) - {AEC0A5EB-5BBF-40D2-A76A-4FBE6E449C4E} - C:\WINDOWS\system32\cbaaa.dll (file missing)
O20 - Winlogon Notify: awttsqo - awttsqo.dll (file missing)
O20 - Winlogon Notify: cbaaa - C:\WINDOWS\system32\cbaaa.dll (file missing)
O20 - Winlogon Notify: ssqqolj - ssqqolj.dll (file missing)
Close all windows including browser and press fix checked.
Reboot
Post a fresh HijackThis log and VirusTotal results
ludi4burnley
2007-04-01, 14:55
here is hjt log im doing the virus scan thing now and its already come up with stuff like worm found etc. here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:54:13, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
looks clean :bigthumb:
Hi
Did you reboot before posting that log? I ask because that log is taken in safe mode as previous log.
ludi4burnley
2007-04-01, 15:09
i rebooted and then pressed f8 and put into safe mode again
ludi4burnley
2007-04-01, 15:10
here is the virus scan thingy log:
Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.01.2007 no virus found
AntiVir 7.3.1.47 03.31.2007 no virus found
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 03.31.2007 Win32:Goldun-X
AVG 7.5.0.447 03.31.2007 no virus found
BitDefender 7.2 04.01.2007 Worm.IM.Agent.A
CAT-QuickHeal 9.00 03.31.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.01.2007 no virus found
DrWeb 4.33 04.01.2007 no virus found
eSafe 7.0.15.0 03.31.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 03.31.2007 no virus found
FileAdvisor 1 04.01.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 W32/Agent.A!worm.im
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.01.2007 IM-Worm.Win32.Agent.a
Ikarus T3.1.1.3 04.01.2007 IM-Worm.Win32.Agent.a
Kaspersky 4.0.2.24 04.01.2007 IM-Worm.Win32.Agent.a
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.01.2007 no virus found
NOD32v2 2160 03.31.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 Suspicious file
Prevx1 V2 04.01.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 VIPRE.Suspicious
Symantec 10 04.01.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 03.31.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Win32.Malware.gen (suspicious)
Hi
First, reboot to normal mode
Then use otmoveit to this -> C:\DOCUME~1\User\x.exe
Run combofix and post its log along with a fresh HijackThis log (taken in normal mode)
ludi4burnley
2007-04-01, 19:18
here is combofix log:
"User" - 07-04-01 17:02:49 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\awtqnkh.dll"
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))
2007-04-01 17:10 602,112 --a------ C:\DOCUME~1\User\x.exe
2007-04-01 17:01 759,003 ---hs---- C:\WINDOWS\system32\ehhjl.bak1
2007-04-01 17:01 48,708 --a------ C:\WINDOWS\system32\kyrlaiiu.dll
2007-04-01 17:00 280,676 ---hs---- C:\WINDOWS\system32\ljhhe.dll
2007-04-01 16:50 26,694 --a------ C:\WINDOWS\system32\pmnnmlj.dll
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-03 16:39 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-03-03 16:39 <DIR> d-------- C:\Program Files\Dell
2007-03-03 16:32 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2007-03-03 14:15 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Screenshot Sender
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-01 17:11 26694 --a------ C:\WINDOWS\system32\mljghhi.dll
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-06 17:40 -------- d-------- C:\Program Files\windows media connect 2
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhhe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnmlj
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-01 17:13:55
C:\ComboFix2.txt ... 07-04-01 12:33
C:\ComboFix3.txt ... 07-04-01 11:54
ludi4burnley
2007-04-01, 19:20
Logfile of HijackThis v1.99.1
Scan saved at 17:19:13, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\pmnnmlj.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E0649FE9-87D8-49D5-A1A3-1CB32D2EBE8D} - C:\WINDOWS\system32\ljhhe.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqnkh - awtqnkh.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ljhhe - C:\WINDOWS\system32\ljhhe.dll
O20 - Winlogon Notify: pmnnmlj - C:\WINDOWS\SYSTEM32\pmnnmlj.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
i can see another few more infected files, can't it be stopped from mutating?
Hi
Well, we definitely need more research, there's something we don't know, otherwise vundo would have been gone long time ago:
Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post
Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Post:
- startuplist
- blacklight log
ludi4burnley, how is it going?
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Seven pages.........
Thank you Shaba.
ludi4burnley
2007-04-10, 21:50
i'm in the middle of a norton antivirus scan which i did whilst i knew i had vundo and it didnt find anything, but its now just come up with 13 viruses including another trojan: metajuan. here is the startuplist thing: StartupList report, 10/04/2007, 18:59:38
StartupList version: 1.52.2
Started from : C:\Documents and Settings\User\Desktop\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\HJT.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
igfxtray = C:\WINDOWS\System32\igfxtray.exe
igfxhkcmd = C:\WINDOWS\System32\hkcmd.exe
igfxpers = C:\WINDOWS\System32\igfxpers.exe
Dell Photo AIO Printer 922 = "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton Internet Security\osCheck.exe"
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
(no name) - C:\WINDOWS\system32\ljhhe.dll - {2487839D-CBCF-4CCF-9826-6390CFACAFAE}
(no name) - C:\WINDOWS\system32\wtdwiqmp.dll - {57E218E6-5A80-4f0c-AB25-83598F25D7E9}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\pmnnmlj.dll - {7D064D71-DD76-4596-90C0-921766AD560A}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton Internet Security - Run Full System Scan - User.job
--------------------------------------------------
Enumerating Download Program Files:
[SysProWmi Class]
InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[UnoCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
CODEBASE = http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 5,725 bytes
Report generated in 0.020 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
ludi4burnley
2007-04-10, 22:59
here is fsbl log, it said nothing was found:
04/10/07 20:31:16 [Info]: BlackLight Engine 1.0.61 initialized
04/10/07 20:31:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/10/07 20:31:21 [Note]: 7019 4
04/10/07 20:31:21 [Note]: 7005 0
04/10/07 20:31:29 [Note]: 7006 0
04/10/07 20:31:30 [Note]: 7011 1124
04/10/07 20:31:30 [Note]: 7026 0
04/10/07 20:31:30 [Note]: 7026 0
04/10/07 20:31:34 [Note]: FSRAW library version 1.7.1021
04/10/07 20:56:51 [Note]: 2000 1012
04/10/07 20:57:04 [Note]: 7007 0
Hi
Juan = almost same as vundo
Run another scan with combofix and post its log along with a fresh HijackThis log, please :)
ludi4burnley
2007-04-11, 22:13
here is combofix report:
"User" - 07-04-11 19:41:19 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))
2007-04-11 19:37 123,972 --a------ C:\WINDOWS\system32\nqaxhvoy.dll
2007-04-11 19:36 770,958 ---hs---- C:\WINDOWS\system32\vyccf.bak2
2007-04-11 19:35 91,887 --a------ C:\DOCUME~1\User\in.exe
2007-04-11 19:35 26,694 --a------ C:\WINDOWS\system32\pmnooll.dll
2007-04-10 20:31 26,694 --a------ C:\WINDOWS\system32\khfcaaa.dll
2007-04-10 19:30 770,686 ---hs---- C:\WINDOWS\system32\vyccf.ini2
2007-04-10 19:29 26,694 --a------ C:\WINDOWS\system32\cbxvuts.dll
2007-04-10 19:11 26,694 --a------ C:\WINDOWS\system32\wvuvuvw.dll
2007-04-10 19:04 771,313 ---hs---- C:\WINDOWS\system32\vyccf.bak1
2007-04-10 19:04 48,708 --a------ C:\WINDOWS\system32\mnervdak.dll
2007-04-10 19:04 280,676 ---hs---- C:\WINDOWS\system32\fccyv.dll
2007-04-10 18:43 772,347 ---hs---- C:\WINDOWS\system32\ehhjl.bak2
2007-04-10 18:42 26,694 --a------ C:\WINDOWS\system32\wvusssq.dll
2007-04-10 18:42 189,952 --a------ C:\DOCUME~1\User\us.exe
2007-04-01 17:10 602,112 --a------ C:\DOCUME~1\User\x.exe
2007-04-01 17:01 759,003 ---hs---- C:\WINDOWS\system32\ehhjl.bak1
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvuts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-11 19:57:34
C:\ComboFix2.txt ... 07-04-01 17:13
C:\ComboFix3.txt ... 07-04-01 12:33
ludi4burnley
2007-04-11, 22:14
here is hjt file:
Logfile of HijackThis v1.99.1
Scan saved at 20:13:51, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\cc"User" - 07-04-11 19:41:19 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))
2007-04-11 19:37 123,972 --a------ C:\WINDOWS\system32\nqaxhvoy.dll
2007-04-11 19:36 770,958 ---hs---- C:\WINDOWS\system32\vyccf.bak2
2007-04-11 19:35 91,887 --a------ C:\DOCUME~1\User\in.exe
2007-04-11 19:35 26,694 --a------ C:\WINDOWS\system32\pmnooll.dll
2007-04-10 20:31 26,694 --a------ C:\WINDOWS\system32\khfcaaa.dll
2007-04-10 19:30 770,686 ---hs---- C:\WINDOWS\system32\vyccf.ini2
2007-04-10 19:29 26,694 --a------ C:\WINDOWS\system32\cbxvuts.dll
2007-04-10 19:11 26,694 --a------ C:\WINDOWS\system32\wvuvuvw.dll
2007-04-10 19:04 771,313 ---hs---- C:\WINDOWS\system32\vyccf.bak1
2007-04-10 19:04 48,708 --a------ C:\WINDOWS\system32\mnervdak.dll
2007-04-10 19:04 280,676 ---hs---- C:\WINDOWS\system32\fccyv.dll
2007-04-10 18:43 772,347 ---hs---- C:\WINDOWS\system32\ehhjl.bak2
2007-04-10 18:42 26,694 --a------ C:\WINDOWS\system32\wvusssq.dll
2007-04-10 18:42 189,952 --a------ C:\DOCUME~1\User\us.exe
2007-04-01 17:10 602,112 --a------ C:\DOCUME~1\User\x.exe
2007-04-01 17:01 759,003 ---hs---- C:\WINDOWS\system32\ehhjl.bak1
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvuts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-11 19:57:34
C:\ComboFix2.txt ... 07-04-01 17:13
C:\ComboFix3.txt ... 07-04-01 12:33
App.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {08D3A5C1-B6A5-47DD-875A-03B47E1F030E} - C:\WINDOWS\system32\fccyv.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2487839D-CBCF-4CCF-9826-6390CFACAFAE} - C:\WINDOWS\system32\ljhhe.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\mnervdak.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - C:\WINDOWS\system32\pmnnmlj.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9796007A-181E-4C97-99EB-7F71B8989A7B} - C:\WINDOWS\system32\cbxvuts.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbxvuts - C:\WINDOWS\SYSTEM32\cbxvuts.dll
O20 - Winlogon Notify: fccyv - C:\WINDOWS\system32\fccyv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
This might be a bit difficult process but ask if any questions (this have worked in one similar case).
1) Make your hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Boot in safe mode (not in safe mode with networking!)
2) Empty this folder -> C:\Windows\Prefetch & empty Recycle Bin
3) Use process explorer and otmoveit to files in 020 lines (not to this -> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll)
4) Use otmoveit to these files:
C:\WINDOWS\system32\nqaxhvoy.dll
C:\WINDOWS\system32\vyccf.bak2
C:\DOCUME~1\User\in.exe
C:\WINDOWS\system32\pmnooll.dll
C:\WINDOWS\system32\khfcaaa.dll
C:\WINDOWS\system32\vyccf.ini2
C:\WINDOWS\system32\cbxvuts.dll
C:\WINDOWS\system32\wvuvuvw.dll
C:\WINDOWS\system32\vyccf.bak1
C:\WINDOWS\system32\mnervdak.dll
C:\WINDOWS\system32\fccyv.dll
C:\WINDOWS\system32\ehhjl.bak2
C:\WINDOWS\system32\wvusssq.dll
C:\DOCUME~1\User\us.exe
C:\DOCUME~1\User\x.exe
C:\WINDOWS\system32\ehhjl.bak1
5) Use otmoveit also to any suspicious looking dll in system32 directory that has been created today or yesterday
6) Fix all 02 & 020 lines with file missing
Reboot
Re-run combofix
Re-run vundofix
Post:
- a fresh HijackThis log
- combofix log
- vundofix report
ludi4burnley
2007-04-12, 13:38
here is combofix:
"User" - 07-04-12 11:25:12 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-12 to 2007-04-12 ))))))))))))))))))))))))))))))))))
2007-04-12 11:25 26,694 --a------ C:\WINDOWS\system32\ddccyyx.dll
2007-04-12 11:25 189,952 --a------ C:\DOCUME~1\User\us.exe
2007-04-12 10:53 26,694 --a------ C:\WINDOWS\system32\gebawxx.dll
2007-04-12 10:53 123,972 --a------ C:\WINDOWS\system32\sdhntdti.dll
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-12 11:31 280676 ---hs---- C:\WINDOWS\system32\jkhig.dll
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhig
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-12 11:34:18
C:\ComboFix2.txt ... 07-04-11 19:57
C:\ComboFix3.txt ... 07-04-01 17:13
Hi
How about other two logs?
ludi4burnley
2007-04-13, 12:05
forget my last combofix report, this is the new 1, the other logs will be on the way in a few minutes:
"User" - 07-04-13 9:48:12 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))
2007-04-13 09:54 766,247 ---hs---- C:\WINDOWS\system32\orqru.bak1
2007-04-13 09:54 123,972 --a------ C:\WINDOWS\system32\wdrrxwal.dll
2007-04-13 09:53 280,676 ---hs---- C:\WINDOWS\system32\urqro.dll
2007-04-12 16:37 768,354 ---hs---- C:\WINDOWS\system32\mmllm.bak1
2007-04-12 11:25 26,694 --a------ C:\WINDOWS\system32\ddccyyx.dll
2007-04-12 10:53 26,694 --a------ C:\WINDOWS\system32\gebawxx.dll
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqro
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-13 10:02:28
C:\ComboFix2.txt ... 07-04-12 11:34
C:\ComboFix3.txt ... 07-04-11 19:57
ludi4burnley
2007-04-13, 12:24
here is hjt logfile, but i can see that vundo has mutated again:
Logfile of HijackThis v1.99.1
Scan saved at 10:23:14, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9796007A-181E-4C97-99EB-7F71B8989A7B} - C:\WINDOWS\system32\ddccyyx.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddccyyx - C:\WINDOWS\SYSTEM32\ddccyyx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-04-13, 12:25
here is vundofix logfile:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:04:44 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:09:40 26/03/2007
Listing files found while scanning....
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:00 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:43 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:58:57 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:23:51 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:30:50 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\pmnkhif.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\cdccf.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\fccdc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:52:47 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\oppol.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\cbxxutt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\loppo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oppol.dll
C:\WINDOWS\system32\oppol.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 11:38:15 12/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\sdhntdti.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\gihkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\hfssedic.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\jkhig.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\nwpusfew.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sdhntdti.dll
C:\WINDOWS\system32\sdhntdti.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:42:14 12/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\gagjmhsa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmm.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 10:05:27 13/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\wdrrxwal.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\orqru.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\urqro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wdrrxwal.dll
C:\WINDOWS\system32\wdrrxwal.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hi
I'm afraid that you will have to do that process again like before :(
Make sure that hidden files are visible and you use otmoveit to all new dll files in system32 folder and also to these:
C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\wdrrxwal.dll
C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\ddccyyx.dll
C:\WINDOWS\system32\gebawxx.dll
Re-run combofix
Re-run vundofix
Post:
- a fresh HijackThis log
- combofix log
- vundofix report
ludi4burnley
2007-04-13, 18:23
looks all clear on hjt:
Logfile of HijackThis v1.99.1
Scan saved at 16:21:21, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
ludi4burnley
2007-04-13, 18:24
"User" - 07-04-13 16:00:54 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))
2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-13 16:04:26
C:\ComboFix2.txt ... 07-04-13 10:02
C:\ComboFix3.txt ... 07-04-12 11:34
ludi4burnley
2007-04-13, 18:26
here is vundofix report, nothing found:
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:04:44 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:09:40 26/03/2007
Listing files found while scanning....
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:00 26/03/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:18:43 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.17
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 20:58:57 26/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:23:51 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:30:50 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\pmnkhif.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\cdccf.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\fccdc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 17:52:47 31/03/2007
Listing files found while scanning....
C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\oppol.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\cbxxutt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\loppo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oppol.dll
C:\WINDOWS\system32\oppol.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 11:38:15 12/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\sdhntdti.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\gihkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\hfssedic.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\jkhig.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\nwpusfew.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sdhntdti.dll
C:\WINDOWS\system32\sdhntdti.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:42:14 12/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\gagjmhsa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmm.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 10:05:27 13/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\wdrrxwal.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\orqru.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\urqro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wdrrxwal.dll
C:\WINDOWS\system32\wdrrxwal.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 16:04:45 13/04/2007
Listing files found while scanning....
No infected files were found.
the jjj.exe application is still visible on the desktop, should it still be there and does it mean that msn messenger will still be messed up?
Hi
Yes, it looks very good :)
Delete jjj.exe from desktop.
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):
Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.
ludi4burnley
2007-04-15, 20:00
sorry, but someone restarted the computer without realising, but i do know there were 87 viruses, here is hjt log though:
Logfile of HijackThis v1.99.1
Scan saved at 18:00:24, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Well let's then run online scanner:
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
ludi4burnley
2007-04-15, 21:09
here is virus scan log:
Sunday, April 15, 2007 7:07:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 15/04/2007
Kaspersky Anti-Virus database records: 297622
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
Scan Statistics
Total number of scanned objects 39043
Number of viruses found 10
Number of infected objects 147
Number of suspicious objects 0
Duration of the scan process 00:44:51
Infected Object Name Virus Name Last Action
C:\avenger\backup.zip/avenger/x.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\802696F3.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\User\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DFD6CA.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DFD72C.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\MSN Messenger\MsnMsgr.Exe.mwt Infected: Backdoor.Win32.MSNMaker.ag skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031957.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031958.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031994.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0032038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034054.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034056.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034060.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034062.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034066.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034067.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034079.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034080.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034088.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034106.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034107.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034115.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034136.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
ludi4burnley
2007-04-15, 21:10
part 2:
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034164.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034165.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034166.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034185.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034192.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034201.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034205.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035206.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035209.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035213.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035222.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035280.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035286.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035294.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035349.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035351.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035352.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035354.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035355.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035357.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035358.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035359.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035390.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035395.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035405.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035417.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035435.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035475.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035487.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035488.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035494.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035499.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035500.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035501.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035503.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035504.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035505.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035506.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035508.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035509.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035592.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035593.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035594.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035597.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035599.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035600.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035601.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035602.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035639.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035650.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037673.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037674.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038676.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038677.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038681.dll.mwt Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038682.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038686.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038687.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038689.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038697.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038698.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038764.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038793.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038795.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038837.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038851.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038936.exe Infected: IM-Worm.Win32.Agent.a skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038937.exe.mwt Infected: Backdoor.Win32.MSNMaker.ag skipped
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP113\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{59574EF2-D775-4511-8F48-61F4E91E007A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\user\in.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped
Scan process completed.
ludi4burnley
2007-04-15, 21:11
here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 19:11:08, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\User\Desktop\HJT.exe
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
Empty this folder:
C:\_OTMoveIt\MovedFiles
Delete this:
C:\avenger\backup.zip
Rest of viruses are in system restore and can be easily cleaned afterwards.
How are things running now?
ludi4burnley
2007-04-15, 21:31
how do i get rid of rest of viruses then, do a system restore?? is that all? thanks for all your help!!! :bigthumb:
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Go here (http://java.sun.com/javase/downloads/index.jsp) and download and install JRE 6.0u1. Click the link that says Java Runtime Environment (JRE) 6u1. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-6u1-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 11.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.