View Full Version : virtumonde smitfraud winantivirus
KingJames
2006-12-04, 20:51
Hello.
I've been having a few problems lately.
I continuously have a few programs reinstalling themselves.
I use Spybot, Adaware, and AVG free and it seems to clean it up.
However, if I wait about an hour, the same few virus's are back again in full force.
I continually get popup's for Winantivirus.
Spybot always shows the Virtumonde virus and smitfraud and the smitfraud-c Toolbar888.
Here's my HJT log if it's helpful.
Logfile of HijackThis v1.99.1
Scan saved at 1:43:56 PM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HFXP2\hfxp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\a?sembly\l?gonui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jim\Desktop\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hfxp] C:\Program Files\HFXP2\hfxp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WEP/WPA-PMK key recovery service (WZCOOK) - Unknown owner - C:\Documents and Settings\Jim\Desktop\aircrack-ng-0.6.1-win\aircrack-ng-0.6.1-win\bin\wzcook.exe" (file missing)
Any help you can give me would be greatly apprectiated
teacup61
2006-12-05, 03:58
Hello KingJames,
Welcome to Safer Networking Forums :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Thanks,
tea
KingJames
2006-12-05, 07:04
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Scan started at 1:55:17 PM 12/4/2006
Listing files found while scanning....
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkjh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkjh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjkkj.bak2
C:\WINDOWS\system32\hjkkj.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Scan started at 2:07:30 PM 12/4/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 11:48:38 PM 12/4/2006
Listing files found while scanning....
No infected files were found.
>>>>>>I ran this twice so this is the log from the second running.
>>>>>>The first time found at least a dozen files.
Jim - 06-12-04 23:41:18.50 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{28FBE96C-0D58-1033-0331-060910040001}
C:\Program Files\Common Files\{38FBE96C-0D58-1033-0331-060910040001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1\l?gonui.exe
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1\?ssembly
((((((((((((((((((((((((((((((( Files Created from 2006-11-04 to 2006-12-04 ))))))))))))))))))))))))))))))))))
2006-12-04 13:55 <DIR> d-------- C:\VundoFix Backups
2006-12-04 00:41 88,340 --a------ C:\WINDOWS\system32\jkhrhbsn.exe
2006-12-03 00:41 88,340 --a------ C:\WINDOWS\system32\whsbfpqc.exe
2006-12-02 15:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-02 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-02 15:04 <DIR> d-------- C:\!KillBox
2006-12-02 14:54 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-12-02 14:54 7,483 --a------ C:\clean.bat
2006-12-02 14:54 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-12-02 14:54 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-12-02 14:54 <DIR> d-------- C:\Program Files\HaxFix
2006-12-02 00:40 88,340 --a------ C:\WINDOWS\system32\nffjjydk.exe
2006-12-01 00:40 88,340 --a------ C:\WINDOWS\system32\drscjamg.exe
2006-11-30 03:14 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-30 03:14 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-30 03:14 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-30 03:14 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-30 02:33 1,356 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-30 00:39 88,340 --a------ C:\WINDOWS\system32\wuaumube.exe
2006-11-30 00:38 88,340 --a------ C:\WINDOWS\system32\acqfvisj.exe
2006-11-28 14:30 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-28 14:30 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Lavasoft
2006-11-28 14:25 <DIR> d-------- C:\WINDOWS\CSC
2006-11-28 13:41 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-28 13:39 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-28 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-28 13:39 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-28 13:39 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-28 13:39 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-28 13:39 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-28 13:39 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-28 13:39 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 13:39 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\AVG7
2006-11-28 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-28 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-28 13:34 88,340 --a------ C:\WINDOWS\system32\mbuhwkwo.exe
2006-11-28 13:34 42,516 --a------ C:\WINDOWS\system32\ptuujlfo.dll
2006-11-28 13:29 2 --a------ C:\WINDOWS\system32\wnsintit.exe
2006-11-28 13:29 126,976 --a------ C:\WINDOWS\system32\xmeiil.dll
2006-11-28 13:28 40,973 ---hs---- C:\WINDOWS\system32\rqrssst.dll
2006-11-07 21:25 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-07 20:04 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-04 23:41 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-04 23:41 -------- d-------- C:\Program Files\Common Files
2006-12-04 15:31 -------- d-------- C:\Program Files\Java
2006-12-04 14:06 -------- d-------- C:\Documents and Settings\Jim\Application Data\WTablet
2006-12-01 00:52 -------- d-------- C:\Documents and Settings\Jim\Application Data\Azureus
2006-11-28 19:22 -------- d-------- C:\Program Files\Winamp
2006-11-28 19:21 -------- d-------- C:\Program Files\GIGABYTE
2006-11-28 13:38 -------- d---s---- C:\Documents and Settings\Jim\Application Data\Microsoft
2006-11-20 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-11-10 00:58 -------- d-------- C:\Program Files\Messenger
2006-11-10 00:57 -------- d-------- C:\Program Files\Outlook Express
2006-11-10 00:57 -------- d-------- C:\Program Files\Common Files\System
2006-11-10 00:09 -------- d-------- C:\Program Files\City of Heroes
2006-11-09 02:13 -------- d-------- C:\Program Files\Windows Media Player
2006-10-19 08:25 -------- d-------- C:\Documents and Settings\Jim\Application Data\Ahead
2006-10-18 02:31 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-18 02:29 -------- d-------- C:\Program Files\Nero
2006-10-15 00:45 -------- d-------- C:\Program Files\Network Stumbler
2006-10-14 14:14 -------- d-------- C:\Program Files\Azureus
2006-10-14 11:56 -------- d-------- C:\Program Files\PowerQuest
2006-10-14 11:55 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-13 15:03 -------- d-------- C:\Program Files\Tablet
2006-10-13 14:04 -------- d-------- C:\Documents and Settings\Jim\Application Data\Adobe
2006-10-13 14:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-13 14:02 -------- d-------- C:\Program Files\Adobe
2006-10-13 14:00 -------- d-------- C:\Program Files\Adobe Photoshop 7.0
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 18:20 -------- d-------- C:\Program Files\DVD Genie
2006-10-09 23:24 12977784 --a------ C:\6-9_xp-2k_dd_35774.exe
2006-10-09 23:24 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-26 20:47 737280 --a------ C:\WINDOWS\iun6002.exe
2006-09-24 15:02 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 08:42 942080 --a------ C:\WINDOWS\system32\Tablet.exe
2006-09-06 08:16 135168 --a------ C:\WINDOWS\system32\Wintab32.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"hfxp"="C:\\Program Files\\HFXP2\\hfxp.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RTHDCPL"="RTHDCPL.EXE"
"EasyTuneV"="C:\\Program Files\\Gigabyte\\ET5\\GUI.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Winamp.job
Completion time: 06-12-04 23:41:46.10
C:\ComboFix.txt ... 06-12-04 23:41
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
Logfile of HijackThis v1.99.1
Scan saved at 12:01:29 AM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HFXP2\hfxp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jim\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ptuujlfo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5EB02ED1-E265-4AB1-BF27-8257E1CB14AD} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: (no name) - {A0161D3D-D3AF-8209-8BAA-A228E07131BB} - C:\WINDOWS\system32\xmeiil.dll
O2 - BHO: (no name) - {D4FA16B9-ACF6-4B06-9E24-52A7192AEF26} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hfxp] C:\Program Files\HFXP2\hfxp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WEP/WPA-PMK key recovery service (WZCOOK) - Unknown owner - C:\Documents and Settings\Jim\Desktop\aircrack-ng-0.6.1-win\aircrack-ng-0.6.1-win\bin\wzcook.exe" (file missing)
Haven't had any pop ups or virus warnings for a few hours now.
It seems to have helped.
teacup61
2006-12-05, 18:38
Hello,
Glad it's better, but we still have work to do. :)
Please download, install, and update AVG Anti-Spyware (formerly Ewido) (http://www.ewido.net/en/download/)
Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close AVG. Do not run it yet.
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ptuujlfo.dll
O2 - BHO: (no name) - {5EB02ED1-E265-4AB1-BF27-8257E1CB14AD} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: (no name) - {A0161D3D-D3AF-8209-8BAA-A228E07131BB} - C:\WINDOWS\system32\xmeiil.dll
O2 - BHO: (no name) - {D4FA16B9-ACF6-4B06-9E24-52A7192AEF26} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
Close all browsers and other windows except for HijackThis!, and click "Fix Checked".
Navigate to and delete the following files, if present:
C:\WINDOWS\system32\ptuujlfo.dll
C:\WINDOWS\VirtualDNS.dll
C:\WINDOWS\system32\xmeiil.dll
In Safe Mode, load AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.
In your reply, please post the report from AVG and a new HijackThis log. Please also let me know how your computer is running. :)
Thanks,
tea
http://forums.spybot.info/showthread.php?t=288
Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.
This topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.