View Full Version : PC Spyware, don't know what to post.
I've run AdAware and Spybot in safe mode, and the spyware/adware/whatever is still there.
I'm kind of new to this whole thing and I'm not sure what to post.
which version of HiJack This, and what other things do you need?
Thank you for your help, it is much appreciated.
Hello.
--------------------------------------------
Please see the stickied procedure for this forum: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Copy/paste the logs requested into this topic, and a helper will assist you when available.
:)
--------------------------------------------
Sorry. I've read that before, just forgot. =p
Okay, here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:27:06 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\idnhypxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [\\Mainframe\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\Mainframe\Stylus Photo R300" /O29 "\\Mainframe\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\VX-SERVER\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\VX-SERVER\Stylus Photo R300" /O29 "\\VX-SERVER\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\yhiwbgcs.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: DomainService - - C:\WINDOWS\system32\idnhypxs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
Virus Scan log coming soon. =]
Thanks again.
Virus Scan Results:
Scan Results: 87297 files scanned. 59 viruses were detected.
File Infection Status Path
3fc08ed0-591c0957 Java/Shinwow.AT!ZIP infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\6.0\16\
count.jar-fa647d8-79106345.zip Java/Shinwow.AT!ZIP infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-fa647d8-79106345.zip>BlackBox.class Java/ByteVerify!exploit infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-fa647d8-79106345.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-fa647d8-79106345.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-fa647d8-79106345.zip>Beyond.class Java/Shinwow.AT infected C:\Documents and Settings\designer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
123[1].htm Win32/MS07-017!exploit infected C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\Content.IE5\5DOTRXNV\
exp1[1].htm JS/MS06-014!exploit infected C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\Content.IE5\6D0W8HAO\
exp2[1].htm JS/MS06-014!exploit infected C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\Content.IE5\6D0W8HAO\
lo1[1] Win32/Vundo!generic infected C:\Documents and Settings\Linda\Local Settings\Temporary Internet Files\Content.IE5\JXKBGC0M\
avhwbtbw.exe Win32/Abetear.A infected C:\WINDOWS\system32\
borvfphp.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
drnqecmx.dll Win32/Vundo.DA infected C:\WINDOWS\system32\
elagjncc.exe Win32/Abetear.A infected C:\WINDOWS\system32\
fiunoyoo.exe Win32/Abetear.A infected C:\WINDOWS\system32\
fncygedl.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
gacknxhr.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
gealxhii.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
hauqnttj.dll Win32/Vundo.DB infected C:\WINDOWS\system32\
hejegeig.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
hglavkiy.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
hxqreovy.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
iagnafag.exe Win32/Abetear.A infected C:\WINDOWS\system32\
idnhypxs.exe Win32/Abetear.A infected C:\WINDOWS\system32\
ilvdliaa.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
imvlokfb.exe Win32/Abetear.A infected C:\WINDOWS\system32\
jlesrcyv.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
jmmirbic.dll Win32/Vundo.DA infected C:\WINDOWS\system32\
jnonogew.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
jrgguvyl.exe Win32/Abetear.A infected C:\WINDOWS\system32\
kebrpnre.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
kfslrnqb.dll Win32/Darksma.X infected C:\WINDOWS\system32\
kohyiyrn.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
kqxymvce.exe Win32/Abetear.A infected C:\WINDOWS\system32\
ldyphwnx.exe Win32/Abetear.A infected C:\WINDOWS\system32\
lodjxpbx.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
mljkkhg.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
mrnmojyv.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
muckuwmc.exe Win32/Abetear.A infected C:\WINDOWS\system32\
nblyvoea.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
oarqrcgw.exe Win32/Abetear.A infected C:\WINDOWS\system32\
psdxtqnm.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
pvtgrphj.dll Win32/Darksma!generic infected C:\WINDOWS\system32\
rdxndgst.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
rspjuxvo.exe Win32/Abetear.A infected C:\WINDOWS\system32\
sbduigkm.exe Win32/Abetear.A infected C:\WINDOWS\system32\
sjtjsdyw.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
sljpcgyo.exe Win32/Abetear.A infected C:\WINDOWS\system32\
ssgwsaeu.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
tiejcwlt.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
tvefpyxv.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
uarehvhb.exe Win32/Abetear.A infected C:\WINDOWS\system32\
uedptfoj.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
vgflhofu.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
wnophpgc.dll Win32/Darksma!generic infected C:\WINDOWS\system32\
wtoqskvw.exe Win32/Abetear.A infected C:\WINDOWS\system32\
wyyxkaur.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
xisreosu.exe Win32/Abetear.A infected C:\WINDOWS\system32\
yhiwbgcs.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
oh boy. that's a lot of viruses...
Thanks for any and all help. :)
pskelley
2007-07-04, 15:26
oh boy. that's a lot of viruses...
Yes it is so you can see you have your work cut out for you. Here is some information about this junk and the hackers.
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
Since they hide the junk from HJT, please rename HJT.exe.
C:\HiJackThis\HijackThis.exe <<< call it rublind.exe and after a reboot we will see any that is left after Vundofix.
You have an infected Java cache caused probably by this infection. Follow these instructions carefully to clean that cache:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
Please read and follow the directions carefully, those that do have few problems removing this junk.
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
We will have more to do.
Thanks
Unfortunately this is all on a work computer, and with today being the Fourth of July, I am not at the office.
I will run these fixes tomorrow and post the appropriate logs.
Thank you very much. :laugh:
pskelley
2007-07-04, 19:51
You did post that you read this information?
http://forums.spybot.info/showthread.php?t=288
Personal computers or.....
The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteers.
We realise on occasion a business where staff are trained to remove malware need a second opinion. In that case please state that up-front and note the steps already taken. Our volunteers appreciate that.
If the PC owner is being charged by you, please ensure it is a second opinion you are seeking, and not posting your jobs for others to clean.
Thank you for your understanding.
Okay, let me rephrase. It's my personal computer, but it's _at_ work. :laugh:
I work with my neighbor (not at his house, but at his office).
And I'm not charging anyone for this, and everyone understands the risks involved.
pskelley
2007-07-04, 20:03
Thanks, good thing my office is at home. I can tell from that scan that this is a very bad infection, clear a space time to work with Vundofix, it is going to take it.
Thanks...Phil
I will. I work M-F 11-7 PST time, and whenever there are posts on this forum (within that time frame) I'll be able to take the time to follow those steps.
I really do appreciate your help, and I'm sorry for not stating that the computer was at an office and not in my house up front.
Again, will post update tomorrow. I'll follow those steps first thing.
Okay, so, VundoFix got rid of most things, but it couldn't get rid of one item I believe? (I had to reboot twice, and it didn't appear in the list anymore, so I assume it's gone? Not sure)
Here is the HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:22:55 AM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\idnhypxs.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\rublind.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tgctiiyb.dll
O2 - BHO: (no name) - {385DB65B-01AA-4848-AB67-8315D948F5E9} - C:\WINDOWS\system32\jmmirbic.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C77EC729-3CBF-48CB-B521-032F171CF903} - C:\WINDOWS\system32\drnqecmx.dll
O2 - BHO: (no name) - {F3313CED-595A-4748-933A-96814290626D} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: (no name) - {FFE3CBF1-44B7-4DAF-AF10-034A1826DF79} - C:\WINDOWS\system32\drnqecmx.dll
O4 - HKLM\..\Run: [\\Mainframe\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\Mainframe\Stylus Photo R300" /O29 "\\Mainframe\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\VX-SERVER\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\VX-SERVER\Stylus Photo R300" /O29 "\\VX-SERVER\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\idnhypxs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
And the VundoFix log (too long, on next post):
VundoFix V6.5.4
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:07:39 AM 7/5/2007
Listing files found while scanning....
C:\windows\system32\aeovylbn.ini
C:\WINDOWS\system32\atjlwsbu.dll
C:\windows\system32\avhwbtbw.exe
C:\windows\system32\borvfphp.dll
C:\windows\system32\cktmxgup.exe
C:\windows\system32\dccdd.ini
C:\windows\system32\ddccd.dll
C:\windows\system32\dnbcryck.ini
C:\windows\system32\elagjncc.exe
C:\windows\system32\fabnrqyt.exe
C:\windows\system32\fiunoyoo.exe
C:\windows\system32\fncygedl.dll
C:\windows\system32\gacknxhr.dll
C:\windows\system32\gealxhii.dll
C:\windows\system32\giegejeh.ini
C:\WINDOWS\system32\hauqnttj.dll
C:\windows\system32\hejegeig.dll
C:\windows\system32\hglavkiy.dll
C:\windows\system32\hlxfcrni.exe
C:\windows\system32\hxqreovy.dll
C:\windows\system32\iagnafag.exe
C:\windows\system32\idnhypxs.exe
C:\windows\system32\ilvdliaa.dll
C:\windows\system32\imvlokfb.exe
C:\windows\system32\jlesrcyv.dll
C:\windows\system32\jnonogew.dll
C:\windows\system32\jrgguvyl.exe
C:\WINDOWS\system32\kcyrcbnd.dll
C:\windows\system32\kebrpnre.dll
C:\windows\system32\kfslrnqb.dll
C:\windows\system32\kohyiyrn.dll
C:\windows\system32\kqxymvce.exe
C:\windows\system32\ldegycnf.ini
C:\windows\system32\ldyphwnx.exe
C:\windows\system32\lodjxpbx.dll
C:\windows\system32\lvmjanrn.dll
C:\windows\system32\mjlhhlnt.exe
C:\WINDOWS\system32\mljkkhg.dll
C:\windows\system32\mrnmojyv.dll
C:\windows\system32\muckuwmc.exe
C:\windows\system32\nblyvoea.dll
C:\windows\system32\oarqrcgw.exe
C:\windows\system32\phpfvrob.ini
C:\windows\system32\prqss.ini
C:\windows\system32\psdxtqnm.dll
C:\WINDOWS\system32\pvtgrphj.dll
C:\windows\system32\rdxndgst.dll
C:\windows\system32\rspjuxvo.exe
C:\windows\system32\rtstv.bak1
C:\windows\system32\rtstv.bak2
C:\windows\system32\rtstv.ini
C:\windows\system32\rtstv.ini2
C:\windows\system32\rtstv.tmp
C:\windows\system32\ruakxyyw.ini
C:\windows\system32\sbduigkm.exe
C:\windows\system32\scgbwihy.ini
C:\windows\system32\sjtjsdyw.dll
C:\windows\system32\sljpcgyo.exe
C:\windows\system32\ssgwsaeu.dll
C:\windows\system32\ssqrp.dll
C:\windows\system32\tiejcwlt.dll
C:\windows\system32\tsgdnxdr.ini
C:\windows\system32\tvefpyxv.dll
C:\windows\system32\uarehvhb.exe
C:\windows\system32\ueaswgss.ini
C:\windows\system32\uedptfoj.dll
C:\windows\system32\ufohlfgv.ini
C:\WINDOWS\system32\ulyydoby.dll
C:\windows\system32\vgflhofu.dll
C:\WINDOWS\system32\vtstr.dll
C:\windows\system32\vxypfevt.ini
C:\windows\system32\vycrselj.ini
C:\windows\system32\wnophpgc.dll
C:\windows\system32\wtoqskvw.exe
C:\windows\system32\wyyxkaur.dll
C:\windows\system32\xbpxjdol.ini
C:\windows\system32\xisreosu.exe
C:\WINDOWS\system32\xuchmuyw.dll
C:\windows\system32\yhiwbgcs.dll
C:\windows\system32\yikvalgh.ini
Beginning removal...
VundoFix V6.5.4
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:12:08 AM 7/5/2007
Listing files found while scanning....
C:\windows\system32\atjlwsbu.dll
C:\windows\system32\avhwbtbw.exe
C:\windows\system32\cktmxgup.exe
C:\windows\system32\dccdd.ini
C:\windows\system32\ddccd.dll
C:\windows\system32\dnbcryck.ini
C:\windows\system32\elagjncc.exe
C:\windows\system32\fabnrqyt.exe
C:\windows\system32\fiunoyoo.exe
C:\windows\system32\gacknxhr.dll
C:\windows\system32\gealxhii.dll
C:\windows\system32\giegejeh.ini
C:\WINDOWS\system32\hauqnttj.dll
C:\windows\system32\hejegeig.dll
C:\windows\system32\hlxfcrni.exe
C:\windows\system32\hxqreovy.dll
C:\windows\system32\iagnafag.exe
C:\windows\system32\idnhypxs.exe
C:\windows\system32\ilvdliaa.dll
C:\windows\system32\imvlokfb.exe
C:\WINDOWS\system32\jkupcdro.dll
C:\windows\system32\jnonogew.dll
C:\windows\system32\jrgguvyl.exe
C:\windows\system32\kcyrcbnd.dll
C:\windows\system32\kebrpnre.dll
C:\windows\system32\kfslrnqb.dll
C:\windows\system32\kohyiyrn.dll
C:\windows\system32\kqxymvce.exe
C:\windows\system32\ldyphwnx.exe
C:\windows\system32\lvmjanrn.dll
C:\windows\system32\mjlhhlnt.exe
C:\WINDOWS\system32\mljkkhg.dll
C:\windows\system32\mrnmojyv.dll
C:\windows\system32\muckuwmc.exe
C:\windows\system32\nblyvoea.dll
C:\windows\system32\oarqrcgw.exe
C:\windows\system32\ordcpukj.ini
C:\windows\system32\prqss.ini
C:\windows\system32\psdxtqnm.dll
C:\WINDOWS\system32\pvtgrphj.dll
C:\windows\system32\rdxndgst.dll
C:\windows\system32\rspjuxvo.exe
C:\windows\system32\rtstv.bak1
C:\windows\system32\rtstv.bak2
C:\windows\system32\rtstv.ini
C:\windows\system32\rtstv.ini2
C:\windows\system32\rtstv.tmp
C:\windows\system32\sbduigkm.exe
C:\windows\system32\sjtjsdyw.dll
C:\windows\system32\sljpcgyo.exe
C:\windows\system32\ssgwsaeu.dll
C:\windows\system32\ssqrp.dll
C:\windows\system32\tiejcwlt.dll
C:\windows\system32\tsgdnxdr.ini
C:\windows\system32\tvefpyxv.dll
C:\windows\system32\uarehvhb.exe
C:\windows\system32\ueaswgss.ini
C:\windows\system32\uedptfoj.dll
C:\WINDOWS\system32\ulyydoby.dll
C:\WINDOWS\system32\vtstr.dll
C:\windows\system32\vxypfevt.ini
C:\windows\system32\wnophpgc.dll
C:\windows\system32\wtoqskvw.exe
C:\windows\system32\xisreosu.exe
C:\WINDOWS\system32\xuchmuyw.dll
Beginning removal...
Attempting to delete C:\windows\system32\atjlwsbu.dll
C:\windows\system32\atjlwsbu.dll Has been deleted!
Attempting to delete C:\windows\system32\avhwbtbw.exe
C:\windows\system32\avhwbtbw.exe Has been deleted!
Attempting to delete C:\windows\system32\cktmxgup.exe
C:\windows\system32\cktmxgup.exe Has been deleted!
Attempting to delete C:\windows\system32\dccdd.ini
C:\windows\system32\dccdd.ini Has been deleted!
Attempting to delete C:\windows\system32\ddccd.dll
C:\windows\system32\ddccd.dll Has been deleted!
Attempting to delete C:\windows\system32\dnbcryck.ini
C:\windows\system32\dnbcryck.ini Has been deleted!
Attempting to delete C:\windows\system32\elagjncc.exe
C:\windows\system32\elagjncc.exe Has been deleted!
Attempting to delete C:\windows\system32\fabnrqyt.exe
C:\windows\system32\fabnrqyt.exe Has been deleted!
Attempting to delete C:\windows\system32\fiunoyoo.exe
C:\windows\system32\fiunoyoo.exe Has been deleted!
Attempting to delete C:\windows\system32\gacknxhr.dll
C:\windows\system32\gacknxhr.dll Has been deleted!
Attempting to delete C:\windows\system32\gealxhii.dll
C:\windows\system32\gealxhii.dll Has been deleted!
Attempting to delete C:\windows\system32\giegejeh.ini
C:\windows\system32\giegejeh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hauqnttj.dll
C:\WINDOWS\system32\hauqnttj.dll Has been deleted!
Attempting to delete C:\windows\system32\hejegeig.dll
C:\windows\system32\hejegeig.dll Has been deleted!
Attempting to delete C:\windows\system32\hlxfcrni.exe
C:\windows\system32\hlxfcrni.exe Has been deleted!
Attempting to delete C:\windows\system32\hxqreovy.dll
C:\windows\system32\hxqreovy.dll Has been deleted!
Attempting to delete C:\windows\system32\iagnafag.exe
C:\windows\system32\iagnafag.exe Has been deleted!
Attempting to delete C:\windows\system32\idnhypxs.exe
C:\windows\system32\idnhypxs.exe Could not be deleted.
Attempting to delete C:\windows\system32\ilvdliaa.dll
C:\windows\system32\ilvdliaa.dll Has been deleted!
Attempting to delete C:\windows\system32\imvlokfb.exe
C:\windows\system32\imvlokfb.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkupcdro.dll
C:\WINDOWS\system32\jkupcdro.dll Could not be deleted.
Attempting to delete C:\windows\system32\jnonogew.dll
C:\windows\system32\jnonogew.dll Has been deleted!
Attempting to delete C:\windows\system32\jrgguvyl.exe
C:\windows\system32\jrgguvyl.exe Has been deleted!
Attempting to delete C:\windows\system32\kcyrcbnd.dll
C:\windows\system32\kcyrcbnd.dll Has been deleted!
Attempting to delete C:\windows\system32\kebrpnre.dll
C:\windows\system32\kebrpnre.dll Has been deleted!
Attempting to delete C:\windows\system32\kfslrnqb.dll
C:\windows\system32\kfslrnqb.dll Has been deleted!
Attempting to delete C:\windows\system32\kohyiyrn.dll
C:\windows\system32\kohyiyrn.dll Has been deleted!
Attempting to delete C:\windows\system32\kqxymvce.exe
C:\windows\system32\kqxymvce.exe Has been deleted!
Attempting to delete C:\windows\system32\ldyphwnx.exe
C:\windows\system32\ldyphwnx.exe Has been deleted!
Attempting to delete C:\windows\system32\lvmjanrn.dll
C:\windows\system32\lvmjanrn.dll Has been deleted!
Attempting to delete C:\windows\system32\mjlhhlnt.exe
C:\windows\system32\mjlhhlnt.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljkkhg.dll
C:\WINDOWS\system32\mljkkhg.dll Has been deleted!
Attempting to delete C:\windows\system32\mrnmojyv.dll
C:\windows\system32\mrnmojyv.dll Has been deleted!
Attempting to delete C:\windows\system32\muckuwmc.exe
C:\windows\system32\muckuwmc.exe Has been deleted!
Attempting to delete C:\windows\system32\nblyvoea.dll
C:\windows\system32\nblyvoea.dll Has been deleted!
Attempting to delete C:\windows\system32\oarqrcgw.exe
C:\windows\system32\oarqrcgw.exe Has been deleted!
Attempting to delete C:\windows\system32\ordcpukj.ini
C:\windows\system32\ordcpukj.ini Has been deleted!
Attempting to delete C:\windows\system32\prqss.ini
C:\windows\system32\prqss.ini Has been deleted!
Attempting to delete C:\windows\system32\psdxtqnm.dll
C:\windows\system32\psdxtqnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pvtgrphj.dll
C:\WINDOWS\system32\pvtgrphj.dll Has been deleted!
Attempting to delete C:\windows\system32\rdxndgst.dll
C:\windows\system32\rdxndgst.dll Has been deleted!
Attempting to delete C:\windows\system32\rspjuxvo.exe
C:\windows\system32\rspjuxvo.exe Has been deleted!
Attempting to delete C:\windows\system32\rtstv.bak1
C:\windows\system32\rtstv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\rtstv.bak2
C:\windows\system32\rtstv.bak2 Has been deleted!
Attempting to delete C:\windows\system32\rtstv.ini
C:\windows\system32\rtstv.ini Has been deleted!
Attempting to delete C:\windows\system32\rtstv.ini2
C:\windows\system32\rtstv.ini2 Has been deleted!
Attempting to delete C:\windows\system32\rtstv.tmp
C:\windows\system32\rtstv.tmp Has been deleted!
Attempting to delete C:\windows\system32\sbduigkm.exe
C:\windows\system32\sbduigkm.exe Has been deleted!
Attempting to delete C:\windows\system32\sjtjsdyw.dll
C:\windows\system32\sjtjsdyw.dll Has been deleted!
Attempting to delete C:\windows\system32\sljpcgyo.exe
C:\windows\system32\sljpcgyo.exe Has been deleted!
Attempting to delete C:\windows\system32\ssgwsaeu.dll
C:\windows\system32\ssgwsaeu.dll Has been deleted!
Attempting to delete C:\windows\system32\ssqrp.dll
C:\windows\system32\ssqrp.dll Has been deleted!
Attempting to delete C:\windows\system32\tiejcwlt.dll
C:\windows\system32\tiejcwlt.dll Has been deleted!
Attempting to delete C:\windows\system32\tsgdnxdr.ini
C:\windows\system32\tsgdnxdr.ini Has been deleted!
Attempting to delete C:\windows\system32\tvefpyxv.dll
C:\windows\system32\tvefpyxv.dll Has been deleted!
Attempting to delete C:\windows\system32\uarehvhb.exe
C:\windows\system32\uarehvhb.exe Has been deleted!
Attempting to delete C:\windows\system32\ueaswgss.ini
C:\windows\system32\ueaswgss.ini Has been deleted!
Attempting to delete C:\windows\system32\uedptfoj.dll
C:\windows\system32\uedptfoj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ulyydoby.dll
C:\WINDOWS\system32\ulyydoby.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstr.dll Has been deleted!
Attempting to delete C:\windows\system32\vxypfevt.ini
C:\windows\system32\vxypfevt.ini Has been deleted!
Attempting to delete C:\windows\system32\wnophpgc.dll
C:\windows\system32\wnophpgc.dll Has been deleted!
Attempting to delete C:\windows\system32\wtoqskvw.exe
C:\windows\system32\wtoqskvw.exe Has been deleted!
Attempting to delete C:\windows\system32\xisreosu.exe
C:\windows\system32\xisreosu.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\xuchmuyw.dll
C:\WINDOWS\system32\xuchmuyw.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.4
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:15:42 AM 7/5/2007
Listing files found while scanning....
C:\windows\system32\idnhypxs.exe
C:\windows\system32\jkupcdro.dll
Beginning removal...
Attempting to delete C:\windows\system32\idnhypxs.exe
C:\windows\system32\idnhypxs.exe Could not be deleted.
Attempting to delete C:\windows\system32\jkupcdro.dll
C:\windows\system32\jkupcdro.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\idnhypxs.exe
C:\windows\system32\idnhypxs.exe Could not be deleted.
Performing Repairs to the registry.
Done!
Awaiting further orders. :laugh:
I was going to edit my post, but I am not allowed, sorry for all the posting!
I forgot to say that I cleaned the Java Cache, and changed HijackThis.exe to rublind.exe as stated in the instructions.
Again, sorry for the triple post.
pskelley
2007-07-05, 21:21
Thanks for returning the information, this is about as bad an infection of Vundo as I have seen.
C:\Program Files\Mozilla Firefox 2\firefox.exe <<< look at this item to make sure it is valid, use one or more of these free scaners to check the file if needed. It may be the way you numbered it that is causing my scanner to suspect it.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.htm
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tgctiiyb.dll
O2 - BHO: (no name) - {385DB65B-01AA-4848-AB67-8315D948F5E9} - C:\WINDOWS\system32\jmmirbic.dll
O2 - BHO: (no name) - {C77EC729-3CBF-48CB-B521-032F171CF903} - C:\WINDOWS\system32\drnqecmx.dll
O2 - BHO: (no name) - {F3313CED-595A-4748-933A-96814290626D} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: (no name) - {FFE3CBF1-44B7-4DAF-AF10-034A1826DF79} - C:\WINDOWS\system32\drnqecmx.dll
O23 - Service: DomainService - - C:\WINDOWS\system32\idnhypxs.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\idnhypxs.exe <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log and check your Java program for an update. Let me know how the computer is running now.
Thanks
The third link for virus scan doesn't work.
The first link had a busy server, and thus it didn't scan the firefox file.
The second link, Kaspersky, for some reason wasn't working either.
For the HijackThis System Scan, the line:
O23 - Service: DomainService - - C:\WINDOWS\system32\idnhypxs.exe
does not exist. I am assuming that this is because you had me stop the DomainService
I ran HijackThis (Fix Selected) for the remainder of the items.
I deleted the file.
I ran ATF cleaner.
I ran jucheck.exe and jusched.exe, there were no updates for Java.
Here is the HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:38:31 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 2\firefox.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\HiJackThis\rublind.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [\\Mainframe\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\Mainframe\Stylus Photo R300" /O29 "\\Mainframe\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\VX-SERVER\Stylus Photo R300] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P29 "\\VX-SERVER\Stylus Photo R300" /O29 "\\VX-SERVER\Stylus Photo R300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
As for the computer, it appears to be running better, but this computer is used only for testing (web design, checking IE for glitches n' such) so I don't know how quickly I'd notice something. But popups have stopped being as frequent.
The first link, for virus scanner, finally went through.
No threat was detected with firefox.exe. :)
pskelley
2007-07-05, 22:08
Thanks for the feedback, I also had a problem with the third scan link but the others seem to be working properly. C:\Program Files\Mozilla Firefox 2\firefox.exe <<< right click on the files and choose properties. The General Tab should show 7.27 MB's and on the Version Tab it should indicate Copyright: Mozilla Corporation
OK, read your latest post, I figured it was valid, just wanted to be positive. You can still look at the Properties if you wish.
Let's run at least on more good scan because of how nasty that infection was.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that log to this topic.
Thanks
It's currently scanning, about 50% done and it has found 2 viruses, and 4 infected objects.
My question is whether or not Kaspersky will be able to take care of these items? and if it will, should I have it do that? Or just take the log and paste it here?
pskelley
2007-07-05, 23:10
Kaspersky is one of the better online scanners but it will not fix anything for us, we will do that manually. Just post the log when it is done.
Thanks
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 05, 2007 3:44:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/07/2007
Kaspersky Anti-Virus database records: 336603
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 73114
Number of viruses found: 8
Number of infected objects: 74
Number of suspicious objects: 2
Duration of the scan process: 01:27:15
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\cert8.db Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\history.dat Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\key3.db Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\parent.lock Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\designer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\designer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\designer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\HiJackThis\backups\backup-20070705-123420-235.dll Infected: Packed.Win32.Klone.j skipped
C:\HiJackThis\backups\backup-20070705-123420-288.dll Infected: Packed.Win32.Klone.j skipped
C:\HiJackThis\backups\backup-20070705-123420-327.dll Infected: Packed.Win32.Klone.j skipped
C:\HiJackThis\backups\backup-20070705-123420-910.dll Infected: Trojan.Win32.BHO.g skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP451\A0028234.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP451\A0028235.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP451\A0028236.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0028413.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP452\A0028414.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP467\A0031752.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP476\A0032210.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP476\A0032211.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP476\A0032212.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP486\A0032345.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP486\A0032346.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033427.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033428.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033431.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033432.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033433.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033437.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033439.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033441.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033443.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033445.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033448.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033450.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033451.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033452.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033453.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033456.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033458.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033461.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033463.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033465.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033467.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033473.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033476.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033479.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033480.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033481.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033482.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\A0033497.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP496\change.log Object is locked skipped
C:\VundoFix Backups\avhwbtbw.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\cktmxgup.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\VundoFix Backups\elagjncc.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\fabnrqyt.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\VundoFix Backups\fiunoyoo.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\hauqnttj.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\hlxfcrni.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\VundoFix Backups\iagnafag.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\idnhypxs.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\imvlokfb.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\jrgguvyl.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\kfslrnqb.dll.bad Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\VundoFix Backups\kqxymvce.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\ldyphwnx.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\lvmjanrn.dll.bad Suspicious: Packed.Win32.Morphine.a skipped
C:\VundoFix Backups\mjlhhlnt.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\muckuwmc.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\oarqrcgw.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\pvtgrphj.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\rspjuxvo.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\sbduigkm.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\sljpcgyo.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\uarehvhb.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\ulyydoby.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\wnophpgc.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\wtoqskvw.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\xisreosu.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\xuchmuyw.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drnqecmx.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jmmirbic.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\kfaugypn.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\ouqcintw.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\tgctiiyb.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_728.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-07-06, 01:12
Thanks for the scan results, looks like everything is in backups and System Restore except for four items.
C:\HiJackThis\backups\ > HJT > Main Menu > View the list of backups > Delete All
C:\VundoFix Backups\ >> remove all Vudo fix, including the Backups from your computer
C:\System Volume Information\_restore >> follow these directions to clean System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Navigate to and delete the files in red:
C:\WINDOWS\system32\jmmirbic.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\kfaugypn.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\ouqcintw.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\tgctiiyb.dll Infected: Trojan.Win32.BHO.g skipped
If any give you problems, use this tool and instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Restart the computer and you should be good to go. Post a new Kaspersky scan report if you wish to be sure, but I believe that is it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thank you very much for your help. :]
I'm going to run another kaspersky scan, and will post the log, so give me about an hour and a half. :laugh:
But again, thank you for your help.
pskelley
2007-07-06, 01:56
No problem, I am in Clearwater, Florida EST and have been at the logs since around 5AM so It will be morning before I see the log.
Thanks:laugh:
Haha, well then. Thanks for all the help. :laugh:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 06, 2007 10:57:48 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 6/07/2007
Kaspersky Anti-Virus database records: 336639
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
Scan Statistics:
Total number of scanned objects: 69046
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:20:38
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\cert8.db Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\history.dat Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\key3.db Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\parent.lock Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\designer\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\designer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Application Data\Mozilla\Firefox\Profiles\m52wljt4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\designer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\designer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\designer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\designer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DD4B4C79-E702-44F4-9565-D652EC9C0BA5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drnqecmx.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_784.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Looks like I got one small virus left:
C:\WINDOWS\system32\drnqecmx.dll Infected: Packed.Win32.Klone.j skipped
pskelley
2007-07-06, 21:11
Oops...looks that way to me also. I went back and looked and the item was in the last log. I guess that's what happens when you use the same eyes for 65 years:laugh: I will assume you have deleted that bugger by now.
Safe surfing to you.
Thanks...Phil
Yup. Thanks much for the help. :laugh:
pskelley
2007-07-10, 11:46
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks...pskelley