PDA

View Full Version : Malware returns constantly...not sure what.



azian111
2007-07-18, 21:26
Hello,

I am being plagued by all of this malware that I don't even know about. I appreciate any help that can be given. Thank you so much in advance.

Logfile of HijackThis v1.99.1
Scan saved at 11:24:14 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kim\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F2CAF1-7299-4720-AD8C-109C1B17B92D} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7AD11CD4-76A7-460B-98DF-AF26D8C2C6FA} - C:\WINDOWS\system32\vtstr.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\fhhejnso.dll
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\pmnnlml.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fit-width Print - {3C34EBD2-038D-4d4f-B081-16D99D8BE2B4} - C:\WINDOWS\Downloaded Program Files\IEPrint.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: IEPrint - http://www.visiontech.ltd.uk/software/download/IEPrint.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099021466609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: nnnonlk - nnnonlk.dll (file missing)
O20 - Winlogon Notify: pmnnlml - C:\WINDOWS\SYSTEM32\pmnnlml.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuturq - C:\WINDOWS\SYSTEM32\wvuturq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Distributed Link Compatibility (DBLCsvc) - Unknown owner - C:\WINDOWS\system32\mui\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

pskelley
2007-07-19, 03:11
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have several issues and a Vundo infection is one of them, please read and follow the directions carefully.

1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\PROGRA~1\Grisoft\AVG7\
C:\Program Files\Norton SystemWorks\
Uninstall one of those.


2) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm


3) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislog in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

azian111
2007-07-19, 05:18
Hi pskelley,

Thank you so much for replying. I read and understand the rules of this forum.
I followed your instructions carefully:

1. I uninstalled my outdated version of Norton SystemWorks.

2. I placed HJT in its own folder in my C drive.

3. I continually ran VundoFix and now it no longer detects anything.

Here are the requested logs:

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:04:24 AM 7/17/2007

Listing files found while scanning....

C:\windows\system32\chmdhirr.ini
C:\windows\system32\gaeiyqpx.dll
C:\windows\system32\gcnqyqwj.dll
C:\windows\system32\gfjtnqwl.dll
C:\WINDOWS\system32\ghbcxvqr.dll
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\novlcnnp.dll
C:\windows\system32\oonnfipd.dll
C:\windows\system32\pnhapkcq.dll
C:\windows\system32\qckpahnp.ini
C:\windows\system32\rqvxcbhg.ini
C:\windows\system32\rrihdmhc.dll
C:\WINDOWS\system32\sstts.dll
C:\windows\system32\vmulnroj.dll

Beginning removal...

Attempting to delete C:\windows\system32\chmdhirr.ini
C:\windows\system32\chmdhirr.ini Has been deleted!

Attempting to delete C:\windows\system32\gaeiyqpx.dll
C:\windows\system32\gaeiyqpx.dll Has been deleted!

Attempting to delete C:\windows\system32\gcnqyqwj.dll
C:\windows\system32\gcnqyqwj.dll Has been deleted!

Attempting to delete C:\windows\system32\gfjtnqwl.dll
C:\windows\system32\gfjtnqwl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghbcxvqr.dll
C:\WINDOWS\system32\ghbcxvqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\kjjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mljjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\novlcnnp.dll
C:\WINDOWS\system32\novlcnnp.dll Has been deleted!

Attempting to delete C:\windows\system32\oonnfipd.dll
C:\windows\system32\oonnfipd.dll Has been deleted!

Attempting to delete C:\windows\system32\pnhapkcq.dll
C:\windows\system32\pnhapkcq.dll Has been deleted!

Attempting to delete C:\windows\system32\qckpahnp.ini
C:\windows\system32\qckpahnp.ini Has been deleted!

Attempting to delete C:\windows\system32\rqvxcbhg.ini
C:\windows\system32\rqvxcbhg.ini Has been deleted!

Attempting to delete C:\windows\system32\rrihdmhc.dll
C:\windows\system32\rrihdmhc.dll Has been deleted!

Attempting to delete C:\windows\system32\vmulnroj.dll
C:\windows\system32\vmulnroj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:22:37 AM 7/17/2007

Listing files found while scanning....


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:27:33 AM 7/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.bak2
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.bak2
C:\WINDOWS\system32\sttss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.tmp
C:\WINDOWS\system32\sttss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 5:18:08 PM 7/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 6:46:35 PM 7/18/2007

Listing files found while scanning....

C:\windows\system32\fhhejnso.dll
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Attempting to delete C:\windows\system32\fhhejnso.dll
C:\windows\system32\fhhejnso.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 6:59:42 PM 7/18/2007

Listing files found while scanning....

No infected files were found.






Logfile of HijackThis v1.99.1
Scan saved at 7:17:54 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fit-width Print - {3C34EBD2-038D-4d4f-B081-16D99D8BE2B4} - C:\WINDOWS\Downloaded Program Files\IEPrint.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: IEPrint - http://www.visiontech.ltd.uk/software/download/IEPrint.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099021466609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Distributed Link Compatibility (DBLCsvc) - Unknown owner - C:\WINDOWS\system32\mui\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

pskelley
2007-07-19, 12:37
Thanks for returning your informtion and your feedback. Great job with the instruction:bigthumb: Here is information about Vundo for you:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/

This item: O23 - Service: Distributed Link Compatibility (DBLCsvc) - Unknown owner - C:\WINDOWS\system32\mui\svchost.exe which is running from your services gives me great concern and I am most certain it is a trojan.
I can not look at it from here, unless you know what it is please use these free online scanners to see what it is.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You will need all files and folders enabled to see it: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I will schedule removal which you should ignore if you find it is not bad, which I doubt.

1) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
The Vundofix scan reports multiple old versions of Java which is probably why you are infected. Uninstall all BUT the newest version in Add Remove Programs.

2) (same instructions as the link I provided)
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Disable the Service
Click Start > Run and type services.msc
Scroll down to Distributed Link Compatibility and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O23 - Service: Distributed Link Compatibility (DBLCsvc) - Unknown owner - C:\WINDOWS\system32\mui\svchost.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\mui\ <<< delete that folder (may be gone)

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log and let me know how the computer is running.

Thanks

azian111
2007-07-19, 21:39
Hi pskelley,

Thank you for the links. They explain a lot about why so many people have similar infections. I followed your steps but ran into some roadblocks/confusion:

One of them is locating the suspicious svchost.exe. I followed step 2 and enabled all of my files for viewing but could not locate that file within the folder. A search within the folder came up with nothing also. If it helps, inside the \system32\mui are many subfolders with random .dll files in them.

As for the rest of your instructions:

1. I actually only found ONE Java version in my add/remove programs. It was the Java 6 Update 1. I uninstalled that and installed the latest version of Java 6 Update 2.

2. I was successful in enabling all of my files and extensions for viewing.

3. I downloaded ATF Cleaner no problem.

4. I was successful in disabling "Distributed Link Compatibility" (the service was already stopped).

5. I managed to fix FOUR out of the five HJT items listed. The only item that wasn't there was O23 (Distributed Link Compatibility).

6. I was NOT able to delete C:\WINDOWS\system32\mui\
The error message was:
"Cannot delete mui: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use."

I don't know about the rest but my drive is not full.

7. I was able to run ATF Cleaner without a problem.





Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:11 AM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\giutibyd.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fit-width Print - {3C34EBD2-038D-4d4f-B081-16D99D8BE2B4} - C:\WINDOWS\Downloaded Program Files\IEPrint.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: IEPrint - http://www.visiontech.ltd.uk/software/download/IEPrint.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099021466609
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



As for the computer performance, things are slightly less sluggish but I still sense some slow-down. I hope I did ok answering your requests. Thank you so much for helping me!

pskelley
2007-07-19, 22:01
You did fine:bigthumb: and thank you so much for the feedback. Sometimes it is hard to get communication. I tend to check several times for items and HJT often removes them before I have you look manually. I prefer to check twice instead of missing malware. Let's have a look at the HJT log and then I'll have suggestions to help the computers performance.

This item: O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\giutibyd.dll",forkonce
is Vundo related. For a while it was the only marker telling us the infection is present, now it is showing once the infection is removed. We need to haul these invaders of private property out to a tree somewhere.
This item may well be slowing you also and you should be getting an error message about the .dll. Let's do this.

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\giutibyd.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\giutibyd.dll",forkonce

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Just have a look at the next HJT log and make sure it is gone.

Here is good information to enhance performance:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

I believe we should run one more scan to make sure nothing is hiding:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

azian111
2007-07-20, 00:19
Well, I have more confusion for you...sorry! :(

When I click on HJT's "delete a file on reboot..." option, HJT closes itself. I'm not sure if something is blocking me from opening it since all of the the other HJT tools seem to open fine. I was about to proceed on with the instructions, but I thought maybe I should stop and wait for you to reply since this seems like an important step.

(By the way, I redownloaded HJT just to see if something's wrong with the first one, but the new HJT does the same thing.)

Again, thank you for your help and I apologize if this turns out to be some trivial mistake of mine!

pskelley
2007-07-20, 01:13
I have not heard of HJT doing this before. Try to delete that file without a tool and see what happens. If it gives you a problem, try it in safe mode:
http://spyware-free.us/tutorials/safemode/

I have tools we can use, but I hate to have you download them for the one file. Keep me posted, I'm online until about 8PM EST.

Thanks...Phil

azian111
2007-07-20, 02:42
Hi Phil,

Not sure if you'll read this today but I managed to delete the file in safe mode. I also got around to the HJT fix you listed.

However, when the computer loaded after the safe mode, AVG detected another "trojan" in the system32 folder called wvuturq.dll

I chose to move the file to the Virus Vault (I wasn't sure what to do). Other than that, I started the Kaspersky scan and that should take awhile. I'll post the log once it's done though.

Thank you so much for your help, Phil. Much appreciated. :)

pskelley
2007-07-20, 02:52
Thanks for the feedback, Vundo infections are a real pain, they dump so much junk on the computer. It is a good thing AVG is spotting the stuff. Here are instructions for cleaning the quarantine:
Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

If anything is left, Kaspersky will find it. It will probably find a lot of infected System Restore files, but we will clean those as soon as the system is clean so System Restore does not get reinfected by the junk when it makes a restore point.

Thanks

azian111
2007-07-20, 03:12
Thanks Phil. I'm just looking forward to a clean computer again...thanks for helping me do it!

Also, I'm sorry that I confused you. I meant my AVG AV found the infected file, not AVG AS (which I don't have on my computer by the way).

Should I go ahead and similarly remove the infected files from AVG AV?

pskelley
2007-07-20, 03:31
oops...sorry about that, I thought I was giving you instructions for AVG AV vault? I know you do not have AVG Anti-Spyware, I would have run it and not Kaspersky, that being the case. I have the information for the vault here somewhere, if you can not figure it out, let me know. That's a yes, delete that file from the vault if you can. Here's a good tutorial for the program.
http://wiki.pomona.edu/bin/view/FAQ/AVGAntiVirus

Thanks

azian111
2007-07-20, 08:20
Hi Phil,

I finished the Kaspersky scan and am now copying and pasting it here. Just wanted to let you know that this scan came BEFORE I emptied AVG AV Vault (if that matters in what shows up on the scan).


KASPERSKY ONLINE SCANNER REPORT
Thursday, July 19, 2007 10:15:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/07/2007
Kaspersky Anti-Virus database records: 342802


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 73258
Number of viruses found 1
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 02:39:42

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Kim\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Kim\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kim\Local Settings\History\History.IE5\MSHist012007071920070720\index.dat Object is locked skipped

C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kim\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Kim\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\Kim\UserData\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\.NetworkShare\LimeWirePackedJars4.9.37.7z Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\.NetworkShare\LimeWireWin4.9.37.exe Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\clink.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\commons-httpclient.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\commons-logging.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\COPYING Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\daap.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\data.ser Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\donotremove.htm Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\GenericWindowsUtils.dll Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\hashes Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\i18n.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\icu4j.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\id3v2.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\install.log Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\jcraft.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\jl011.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\jmdns.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\language.prop Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\LimeWire On Startup.lnk Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\LimeWire.exe Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\LimeWire.ico Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\LimeWire.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\LimeWire20.dll Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\logicrypto.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\looks.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\MessagesBundle.properties Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\MessagesBundles.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\mp3sp14.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\pmf.ico Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\ProgressTabs.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\root\magnet10\badge.img Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\root\magnet10\canHandle.img Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\root\magnet10\limewire.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\root\magnet10\options.js Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\root\magnet10\silentdetect.js Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\SOURCE Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\spacer.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\themes.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\tritonus.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\uninstall.exe Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\unpack.log Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\update.ver Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\vorbis.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\WindowsV5PlusUtils.dll Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\xerces.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\xml-apis.jar Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc14\xml.war Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc16\Desktop.ini Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\bg.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\bit_logo.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\help.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\hes.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\login.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\openWindow.js Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\register.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\spacer.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\style.css Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\top_corner.gif Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc17\userLogin.js Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc19\boxframescroll.txt Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc19\bubbleinstructions.zip Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc19\html stuff.txt Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc19\snowinstructions.zip Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc19\trailinstructions.zip Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\Desktop.ini Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](1).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](2).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](3).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](4).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](5).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](6).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1](7).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[1].ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[2](1).ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc21\loadram[2].ra Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\a_nadal_i.jpg Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\Desktop.ini Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\DORY!.jpg Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\kristy043.jpg Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\kristy044.JPG Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\prince of tennis.jpg Object is locked skipped

C:\RECYCLER\S-1-5-21-2052111302-1606980848-839522115-1006\Dc22\Thumbs.db Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\VundoFix Backups\fhhejnso.dll.bad Infected: Trojan.Win32.BHO.bd skipped

C:\VundoFix Backups\gcnqyqwj.dll.bad Infected: Trojan.Win32.BHO.bd skipped

C:\VundoFix Backups\novlcnnp.dll.bad Infected: Trojan.Win32.BHO.bd skipped

C:\VundoFix Backups\oonnfipd.dll.bad Infected: Trojan.Win32.BHO.bd skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\hggggdd.dll Object is locked skipped

C:\WINDOWS\system32\jkkljkk.dll Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley
2007-07-20, 15:14
Thanks for returning your information and your feedback, you asked:

Should I go ahead and similarly remove the infected files from AVG AV?
Yes

KASPERSKY ONLINE SCANNER REPORT Thursday, July 19, 2007 10:15:34 PM
Number of viruses found 1
Number of infected objects 4 / 0

Empty your Recycle Bin

C:\VundoFix Backups\ <<< delete that folder, that will remove the four (4) infected items. Remove any other Vundofix on your computer also.

I am not liking the look of these two files, would you scan them and delete them if bad. I believe they may be vundo files that can't harm you but would be better off elsewhere.

C:\WINDOWS\system32\hggggdd.dll

C:\WINDOWS\system32\jkkljkk.dll

Free Scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Let me know how the computer is running.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

azian111
2007-07-20, 19:56
Hi Phil,

This time around things went much smoother. I removed the infected files from AVG AV. I emptied the Recycle Bin. I deleted the VundoFix Backups (the only ones I found). As for the two suspicious files you listed, they were indeed bad. AVG AV found them right off the bat and so I moved them to the Virus Vault and then emptied the Vault. I turned off System Restore, rebooted, and turned it back on.

So far the computer seems ok. I'll have to get back to you as to how it's working now. Do you recommend another scan to see if everything is finally gone? Or do you think that's unnecessary at this point?

Also, thank you for the helpful links. I'll be sure to read up on them. Thanks Phil: you are a savior. :)

azian111
2007-07-20, 20:10
Hey Phil....sorry about a second post but I have some updated news. I'm still getting pop-ups from WinAntispyware and WinAntivirus PRO. Are these critters still hiding somewhere possibly? They just don't want to leave, do they? :sad:

Do you want some more scans?

pskelley
2007-07-20, 20:18
You should be good to go, did I show you how easy it is to get infected anymore:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

Make sure to look at the links, I posted great information from experts on how to stay safe, and ways to enhance your computers performance.

Safe surfing

Phil:laugh:

azian111
2007-07-20, 20:23
I see. Well thank you so much for all of your help. I can only imagine the patience and dedication needed to do this over and over with different users. I would love to say see you again, but maybe only under different conditions. :)

Thanks again.