View Full Version : Friends Logfile
Mindstormer
2006-10-27, 09:42
Hi, I have a friend I'm helping and they gave me their logfile to analyze. Unfortunately I'm not really clued up on Hijackthis logfiles so please could someone check it, I did see pmkhi.dll which is apparently some trojan/malware, I couldn't find any removal instructions for this particular log as obviously each case is different.
Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 20:26:52, on 26-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Grisoft\AVG Free\avgw.exe
C:\Programas\Grisoft\AVG Free\avgwb.dat
C:\Programas\Grisoft\AVG Free\avgcc.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Program Files\hijackThis\HijackThis1991.exe\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.basilmarket.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09489503-E369-41BF-959A-3298EEF97822} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {C1BECD33-479F-4FB6-BA4D-37B6F06CB914} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {CC747101-9ADA-F2F0-1FB6-9E411496CCEB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\, \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\, \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\, \Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\, \Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\, \Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\, \RunOnce: [VundoFix] "C:\Documents and Settings\XP\Ambiente de trabalho\vundofix.exe"
O4 - HKCU\, \Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\, \Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\, \Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\, \Run: [Steam] "C:\Programas\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programas\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://undertakershell.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://www.hangame.com/common/HanSetup1008.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programas\ewido anti-spyware 4.0\guard.exe
Thanks for any help.
Mindstormer
pskelley
2006-10-27, 16:29
Welcome to the forum, it is hard to troubleshoot with two antivirus programs conflicting with each other on a system, see this information:
You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
Your Java program is out of date which may be why you have the Vundo infection, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Programas\Java\jre1.5.0_06\ <<< out of date
You do have a Vundo infection, the tool we will use may need to run more than once to learn and remove all of the infection. Make sure all files it locates have been deleted.
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Make sure you restart the computer and post C:\vundofix.txt and a new HiJackThis log Use "Post Reply" to stay in this same topic.
Thanks
Mindstormer
2006-10-29, 06:46
Here are the replies
heres the vundo fix log
VundoFix V6.2.6
Checking Java version,
Sun Java not detected
Scan started at 19:50:26 26-10-2006
Listing files found while scanning,
C:\WINDOWS\system32\cgxwixn.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\udbyyxqh.dll
C:\WINDOWS\system32\fntqihfj.exe
C:\WINDOWS\system32\urkxabpi.exe
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
VundoFix V6.2.6
Checking Java version,
Sun Java not detected
Scan started at 19:59:42 26-10-2006
Listing files found while scanning,
C:\WINDOWS\system32\cgxwixn.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\udbyyxqh.dll
C:\WINDOWS\system32\fntqihfj.exe
C:\WINDOWS\system32\urkxabpi.exe
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.tmp
Beginning removal,
Attempting to delete C:\WINDOWS\system32\cgxwixn.dll
C:\WINDOWS\system32\cgxwixn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\udbyyxqh.dll
C:\WINDOWS\system32\udbyyxqh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fntqihfj.exe
C:\WINDOWS\system32\fntqihfj.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\urkxabpi.exe
C:\WINDOWS\system32\urkxabpi.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.6
Checking Java version,
Sun Java not detected
Scan started at 22:27:29 28-10-2006
Listing files found while scanning,
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2
Beginning removal,
Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.6
Checking Java version,
Sun Java not detected
Scan started at 22:37:32 28-10-2006
Listing files found while scanning,
and heres the new log from hijackthis, can u look at it?
Logfile of HijackThis v1.99.1
Scan saved at 22:44:27, on 28-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\VIA\RAID\raid_tool.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programas\ewido anti-spyware 4.0\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackThis\HijackThis1991.exe\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.basilmarket.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {385CF386-B940-4775-BBC8-54C9A969CF98} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CA088DC6-BA3D-4830-B82E-5D5661D64B83} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {CC747101-9ADA-F2F0-1FB6-9E411496CCEB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\, \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\, \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\, \Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\, \Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\, \Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\, \Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\, \Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\, \Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programas\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\npjpi150_09.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://undertakershell.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://www.hangame.com/common/HanSetup1008.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programas\ewido anti-spyware 4.0\guard.exe
I told her twice to remove one of her antivirus programs, no reply on that yet.
pskelley
2006-10-29, 11:19
Thanks for returning the information, please copy and paste the logs as instructed here: http://forums.spybot.info/showthread.php?t=288
Is this a friend you are helping? Hard for me to get excited about giving my free time when I can't get my first instruction followed! This user will continue to have issues in at least some part by the diminished ability of the antivirus programs to function properly conflicting as they will.
Please follow these directions to clean up the leftovers:
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - (no file)
O2 - BHO: (no name) - {385CF386-B940-4775-BBC8-54C9A969CF98} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {CA088DC6-BA3D-4830-B82E-5D5661D64B83} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {CC747101-9ADA-F2F0-1FB6-9E411496CCEB} - (no file)
O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi:) will close this topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help, thanks Phil.