can't remove Smitfraud-C.Toolbar888 [Archive]

View Full Version : can't remove Smitfraud-C.Toolbar888

sam thompson

2007-06-19, 01:58

Hi, Im new to this forum, I've read all your recommendations to try before posting. I could not get the online virus checker to work though. I have tried re-booting in safe mode and running Spybot to remove Smitfraud, and spybot says it removed it but ever time I reboot it reappears.

this is my HiJack this log:
Logfile of HijackThis v1.99.1
Scan saved at 23:54:23, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Documents and Settings\All Users\Application Data\fafkbqpc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sambo\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.bath.ac.uk/imp/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3A3EC736-404A-4591-B62E-7335D1A3ACE4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pyklicor.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\urqopqn.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [fafkbqpc.exe] C:\Documents and Settings\All Users\Application Data\fafkbqpc.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\jktsrpwh.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

I would much appreciate any help anyone can offer as I have had this problem for a while and any help would be a big help.

Many thanks in advance, Sam.

pskelley

2007-06-19, 16:37

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you have not resolved your issues elsewhere, please do this:

1) Make sure Spybot is fully immunized as well as updated:
http://www.it.northwestern.edu/security/spyware/win-spybot-immunize.html

2) Looks like you ran Vundofix? I would like to see the Vundofix report if you still have it.

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3A3EC736-404A-4591-B62E-7335D1A3ACE4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pyklicor.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\urqopqn.dll (file missing)
O4 - HKLM\..\Run: [fafkbqpc.exe] C:\Documents and Settings\All Users\Application Data\fafkbqpc.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\jktsrpwh.dll",realset

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Documents and Settings\All Users\Application Data\fafkbqpc.exe <<< delete that file

C:\WINDOWS\system32\jktsrpwh.dll <<< delete that file

(if either file gives you trouble, use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report if possible and a new HJT log. Let me know how the computer is running.

Thanks

sam thompson

2007-06-21, 01:00

Hi, thanks for the help, I ran through your suggestions but encountered some problems along the way.

firstly, I did not have the following entries in the HJT log:

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pyklicor.dll

O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\urqopqn.dll (file missing)

I also couldnt find the jktsrpwh.dll.

I ran the AFT cleaner all the same.

here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:18:57, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ckjghube.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Sambo\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.bath.ac.uk/imp/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {26065DEA-51DE-4151-81D6-B1CDACD12F00} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BFE3F58-F62D-4097-A432-4BD367D2B94D}: NameServer = 194.72.0.114,194.74.65.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ckjghube.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

and this is the vundo log:

VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 15:10:56 18/06/2007

Listing files found while scanning....

C:\windows\system32\gbdwxqsj.exe
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\pmkhh.dll
C:\windows\system32\qomlmmk.dll
C:\windows\system32\urqopqn.dll

Beginning removal...

Attempting to delete C:\windows\system32\gbdwxqsj.exe
C:\windows\system32\gbdwxqsj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Has been deleted!

Attempting to delete C:\windows\system32\qomlmmk.dll
C:\windows\system32\qomlmmk.dll Has been deleted!

Attempting to delete C:\windows\system32\urqopqn.dll
C:\windows\system32\urqopqn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 16:03:21 18/06/2007

Listing files found while scanning....

C:\windows\system32\jkkkjkh.dll

Beginning removal...

Attempting to delete C:\windows\system32\jkkkjkh.dll
C:\windows\system32\jkkkjkh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 21:43:45 20/06/2007

Listing files found while scanning....

C:\windows\system32\dtmywdti.dll
C:\windows\system32\efcawvw.dll
C:\WINDOWS\system32\gebaaab.dll
C:\windows\system32\itdwymtd.ini
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\ldvihjlv.dll
C:\windows\system32\llkkj.bak1
C:\windows\system32\llkkj.bak2
C:\windows\system32\llkkj.ini
C:\WINDOWS\system32\pyklicor.dll
C:\WINDOWS\system32\vljhivdl.ini
C:\windows\system32\vtustqq.dll

Beginning removal...

Attempting to delete C:\windows\system32\dtmywdti.dll
C:\windows\system32\dtmywdti.dll Has been deleted!

Attempting to delete C:\windows\system32\efcawvw.dll
C:\windows\system32\efcawvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebaaab.dll
C:\WINDOWS\system32\gebaaab.dll Has been deleted!

Attempting to delete C:\windows\system32\itdwymtd.ini
C:\windows\system32\itdwymtd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ldvihjlv.dll
C:\WINDOWS\system32\ldvihjlv.dll Could not be deleted.

Attempting to delete C:\windows\system32\llkkj.bak1
C:\windows\system32\llkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\llkkj.bak2
C:\windows\system32\llkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\llkkj.ini
C:\windows\system32\llkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pyklicor.dll
C:\WINDOWS\system32\pyklicor.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vljhivdl.ini
C:\WINDOWS\system32\vljhivdl.ini Has been deleted!

Attempting to delete C:\windows\system32\vtustqq.dll
C:\windows\system32\vtustqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ldvihjlv.dll
C:\WINDOWS\system32\ldvihjlv.dll Has been deleted!

Performing Repairs to the registry.
Done!

As I was creating this post, I ran spybot and then a window opened telling me the computer will shutdown in x amount of time, where there was a timer counting down from a minute. This might not be very useful to you as I did not write down what it was that was causing it.

and just now (ie upon restarting after receiving the message that my computer will turn off after x amount of time) sophos has just detected 15 visues, 8 of which it cannot delete bu are in quarintine.

pskelley

2007-06-21, 02:11

Thanks Sam for returning your information and the feedback.

sophos has just detected 15 visues, 8 of which it cannot delete bu are in quarintine.
It does me no good unless you tell me exactly what they are, save the scan results from your antivirus program and post it.

You have junk I can't even identify but I am sure they are trojans. If you want to scan them before you remove them, here are the files and you will need to have hidden files and folders enabled to see them:
I need to point out also that these trojans were not in the first HJT log you posted, so you are continuing to get infected. You would be wise to not use this computer unless you are troubleshooting until we get it clean. The junk will download more.

C:\WINDOWS\system32\ckjghube.exe

C:\WINDOWS\system32\scchk32.exe

WIKI.DLL <<< search for this item and scan it also, If you know why it is running in the log, ignore my instructions to remove it.
I need to know where you find it also.

free scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

1) Make files and folders visible.

2) Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {26065DEA-51DE-4151-81D6-B1CDACD12F00} - C:\WINDOWS\system32\jkkll.dll (file missing)
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: DomainService - - C:\WINDOWS\system32\ckjghube.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\scchk32.exe <<< delete that file

C:\WINDOWS\system32\ckjghube.exe <<< delete that file

WIKI.DLL <<< delete that file unless you it is not bad. It will probably be in the System32 folder

run cleanmgr
http://spyware-free.us/tutorials/cleanmgr/

Restart and post a new HJT log.

Thanks

sam thompson

2007-06-22, 10:50

Hi, Id like to thank you for spending time trying to help me solve my problem. However, I was experiencing more and more problems every day so in the end I decided to do a clean install of Windows.

Thanks again for taking the time to try to help, it was much appreciated.

pskelley

2007-06-22, 13:49

OK Sam and thanks for letting us know, and I certainly understand. Here is some information that may help you avoid these kinds of problems in the future.

http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley

2007-07-02, 13:58

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley