View Full Version : need help about trojan.Duntek
dinzchor
2007-06-02, 11:21
good day! i am new here and i really need some help about this virus name-Trojan.Duntek (object name- C:\WINDOWS\SYSTEM32\KBDGMT.DLL
Actually i'll already tried to repair it by deleting this so called virus but it still appear in my computer. i'll really dont know how to fix it cause in the first place im not really good in trouble shooting in computer =( that's why im hoping that somebody could help me to fix this problem. tnx in advance
Angelfire777
2007-06-02, 12:48
Hi, Welcome to Safer Networking Forums!
Click HERE (http://ralphcaddell.com/Uploads/HjThis.exe) to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to C:\Hijackthis
Next, double click on Hijackthis.exe. Click "Scan System and Save a Logfile." A Notepad will appear in your screen, copy and paste the contents of the notepad to your next reply.
dinzchor
2007-06-03, 04:44
thank you angelfire for helping me to fix it, anyway here's my reply, i'll already do what u've told me...
Logfile of HijackThis v1.99.1
Scan saved at 11:56:11 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Yahoo! Games\Magic Match\FAH504-Console.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Yahoo! Games\Magic Match\FahCore_78.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80ce8c25-a8f3-4ec9-bb07-4c902092c3a9} - C:\WINDOWS\system32\kbdgmt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdgmt - C:\WINDOWS\SYSTEM32\kbdgmt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Program Files+Yahoo! Games+Magic Match+FAH504-Console.exe - Stanford University - C:\Program Files\Yahoo! Games\Magic Match\FAH504-Console.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Angelfire777
2007-06-03, 12:00
Hi,
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
*Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) by noahdfear and save it to your desktop:
Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.
dinzchor
2007-06-04, 09:59
hi, ill already do what you've told me. actually when i tried to do the 1st step when i scan the vundo it doesn't detect anything. that's why i jump to the
second step.. and here's my post:
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
03/02/2007 04:24 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
02/16/2007 11:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
02/13/2007 02:11 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
06/14/2006 09:11 PM 53,248 DrvMon.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
01/09/2007 06:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes
Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
01/19/2007 01:49 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK
02/14/2007 06:28 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK
06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
257088 Mar 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
257088 Mar 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 May 2 2007 "C:\WINDOWS\Installer\{01B51908-02EF-453B-87A9-815182E8C2F2}\iTunesIco.exe"
116288 Mar 2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.0.59\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
37825 Apr 14 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Feb 13 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
53248 Jun 14 2006 "C:\WINDOWS\system32\bak\DrvMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jan 19 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
52272 Feb 14 2007 "C:\Program Files\Google\googletoolbar2user.exe"
138168 Feb 14 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Feb 14 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
end of report
tnx again in advance..
Angelfire777
2007-06-05, 13:56
Hi,
*Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.
*Please download ResetProtocolDefaults (http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg) by WinHelp2002 and save it to your desktop:
Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Do not use it yet.
________________
*Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
Copy&Paste the 2 entries below into the top 2 boxes.
C:\WINDOWS\system32\kbdgmt.dll
C:\WINDOWS\SYSTEM32\tmgdbk.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {80ce8c25-a8f3-4ec9-bb07-4c902092c3a9} - C:\WINDOWS\system32\kbdgmt.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdgmt - C:\WINDOWS\SYSTEM32\kbdgmt.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type restore.bat in the File name and save it to your desktop.
if exist "C:\Program Files\SymNetDrv\SNDMon.exe" del /q "C:\Program Files\SymNetDrv\SNDMon.exe"
copy /y "C:\Program Files\SymNetDrv\bak\SNDMon.exe" "C:\Program Files\SymNetDrv"
if exist "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" del /q "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
copy /y "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps"
if exist "C:\WINDOWS\system32\DrvMon.exe" del /q "C:\WINDOWS\system32\DrvMon.exe"
copy /y "C:\WINDOWS\system32\bak\DrvMon.exe" "C:\WINDOWS\system32"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
del /q "C:\WINDOWS\system32\lsasss.exe"
rd /s /q "C:\Program Files\iTunes\bak"
rd /s /q "C:\Program Files\QuickTime\bak"
rd /s /q "C:\Program Files\Common Files\Symantec Shared\bak"
rd /s /q "C:\Program Files\Yahoo!\Messenger\bak"
Double click restore.bat then please run FindAWF again to make sure nothing is left.
_________________
*Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
On your next reply, please post a fresh hijackThis log, AVG Antispyware log, new awf.txt and a description on how your machine is running.
dinzchor
2007-06-09, 12:08
here's my post:
hijack after del domains
Logfile of HijackThis v1.99.1
Scan saved at 1:17:59 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Yahoo! Games\Magic Match\FAH504-Console.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Yahoo! Games\Magic Match\FahCore_78.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\_stn_10\Desktop\scannthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80ce8c25-a8f3-4ec9-bb07-4c902092c3a9} - C:\WINDOWS\system32\kbdgmt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdgmt - C:\WINDOWS\SYSTEM32\kbdgmt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Program Files+Yahoo! Games+Magic Match+FAH504-Console.exe - Stanford University - C:\Program Files\Yahoo! Games\Magic Match\FAH504-Console.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
this is my post for avg report:
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP54\A0048974.exe -> Downloader.Small.ego : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP108\A0095237.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059855.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059856.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059857.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059858.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059859.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0C300B8F-8E9F-49F9-B076-307E9005137D}\RP68\A0059860.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Documents and Settings\_stn_10\Cookies\_stn_10@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@cupolaventures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@multiply.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@nba.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@viamtvcom.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adbrite[4].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@www.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@ehg-nokiafin.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\_stn_10\Cookies\_stn_10@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
this is my post for awf:
Directory of C:\PROGRA~1\ITUNES\BAK
03/02/2007 04:24 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
02/16/2007 11:54 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
02/13/2007 02:11 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
06/14/2006 09:11 PM 53,248 DrvMon.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
01/09/2007 06:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes
Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
01/19/2007 01:49 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK
02/14/2007 06:28 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK
06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
257088 Mar 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
257088 Mar 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 May 2 2007 "C:\WINDOWS\Installer\{01B51908-02EF-453B-87A9-815182E8C2F2}\iTunesIco.exe"
116288 Mar 2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.0.59\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
37825 Apr 14 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Feb 13 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
53248 Jun 14 2006 "C:\WINDOWS\system32\bak\DrvMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jan 19 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
52272 Feb 14 2007 "C:\Program Files\Google\googletoolbar2user.exe"
138168 Feb 14 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Feb 14 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
end of report
actually my computer is still running and its run easily, but the virus trojan duntek still appear in my computer..
Hello dinzchor and sorry for the delay.
Angelfire777 is busy and asked me to continue :)
Plese post a fresh Hijackthis log to here and we'll continue the cleaning :bigthumb: