Infected with Virtumonde

C

cali01

New member
I have been having problems removing Virtumonde from my computer. Please advise me of how to get rid of it, its very annoying. Thank you!

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:26 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WasteWORKS\wwwin.exe
C:\WINDOWS\system32\ushvdolj.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [b40c341c] rundll32.exe "C:\WINDOWS\system32\yoyjqgjr.dll",b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ushvdolj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5694 bytes

Also, my Kaspersky log is too long to post.
 
Last edited by a moderator:
Hello and welcome to the Forums :)

Let's see...

Rename HijackThis.exe to skanneri.exe by doing the following;

  • Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to skanneri.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
  • Post the fresh HijackThis log here.
 
I'm sorry. When Hijackthis gets done scanning it pops up notepad and says "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?"

If I select yes it still won't save a log.
 
Ok please delete the old copy a HijackThis.

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis. Close it
  • Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to skanneri.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
  • Post the fresh HijackThis log here.

:bigthumb:

Let me know if this didn't work
 
Ok we'll use this then...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
ComboFix 07-11-08.1 - scale2 2007-11-17 9:11:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.62 [GMT -6:00]
Running from: C:\Documents and Settings\scale2\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\F1
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F4
C:\WINDOWS\system32\F5
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\SYSTEM32\oqtwa.bak1
C:\WINDOWS\SYSTEM32\oqtwa.bak2
C:\WINDOWS\SYSTEM32\oqtwa.ini
C:\WINDOWS\SYSTEM32\oqtwa.ini2
C:\WINDOWS\SYSTEM32\oqtwa.tmp
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 09:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 08:56 82,496 --a------ C:\WINDOWS\SYSTEM32\ilovqdov.dll
2007-11-17 08:53 84,545 --a------ C:\WINDOWS\SYSTEM32\pirtvbpe.dll
2007-11-17 08:42 82,496 --a------ C:\WINDOWS\SYSTEM32\astavpis.dll
2007-11-16 15:32 81,984 --a------ C:\WINDOWS\SYSTEM32\joiljwpj.dll
2007-11-16 14:17 81,984 --a------ C:\WINDOWS\SYSTEM32\elyoqnri.dll
2007-11-15 15:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 14:14 79,936 --a------ C:\WINDOWS\SYSTEM32\rohhicav.dll
2007-11-15 13:36 79,936 --a------ C:\WINDOWS\SYSTEM32\ktckqvok.dll
2007-11-15 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-15 12:35 79,936 --a------ C:\WINDOWS\SYSTEM32\injpapnb.dll
2007-11-14 14:43 79,424 --a------ C:\WINDOWS\SYSTEM32\rqcgtxor.dll
2007-11-14 10:21 79,424 --a------ C:\WINDOWS\SYSTEM32\foxvrsch.dll
2007-11-14 09:50 79,424 --a------ C:\WINDOWS\SYSTEM32\ejjkrfef.dll
2007-11-14 09:20 79,424 --a------ C:\WINDOWS\SYSTEM32\kfcqscqn.dll
2007-11-14 09:01 <DIR> d-------- C:\VundoFix Backups
2007-11-14 08:49 79,424 --a------ C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
2007-11-14 08:18 79,424 --a------ C:\WINDOWS\SYSTEM32\lgalcdrs.dll
2007-11-14 08:12 79,424 --a------ C:\WINDOWS\SYSTEM32\udheqyim.dll
2007-11-14 07:48 81,472 --a------ C:\WINDOWS\SYSTEM32\pstshqpu.dll
2007-11-14 03:17 81,472 --a------ C:\WINDOWS\SYSTEM32\qicifnqc.dll
2007-11-12 14:11 81,472 --a------ C:\WINDOWS\SYSTEM32\qlqmlajv.dll
2007-11-10 14:11 81,472 --a------ C:\WINDOWS\SYSTEM32\yljovueq.dll
2007-11-09 14:11 77,888 --a------ C:\WINDOWS\SYSTEM32\glildbgh.dll
2007-11-04 21:42 78,912 --a------ C:\WINDOWS\SYSTEM32\agewokpr.dll
2007-11-03 21:39 81,472 --a------ C:\WINDOWS\SYSTEM32\jofkonww.dll
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2007-10-19 12:40 233,472 --a------ C:\WINDOWS\SYSTEM32\OkDrtPrn.exe
2007-10-19 12:40 106,496 --a------ C:\WINDOWS\SYSTEM32\OkDrtPrn.dll
2007-10-19 12:40 45,056 --a------ C:\WINDOWS\SYSTEM32\OkDPnRes.dll
2007-10-19 12:35 24,576 -ra------ C:\WINDOWS\SYSTEM32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 21:25 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-14 17:32 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-14 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 16:56 --------- d-----w C:\Program Files\Java
2007-11-06 13:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 01:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 01:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-19 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 18:40 --------- d-----w C:\Program Files\Okidata
2007-10-12 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-04 13:27 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 13:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 13:27 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 13:27 --------- d-----w C:\Program Files\Symantec
2007-09-21 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 20:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 20:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 20:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 20:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 20:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 20:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 20:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 20:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 20:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-06-22 16:50:35 6,369 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.bak1
2007-06-27 15:05:02 1,899,012 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.bak2
2007-07-05 14:29:29 1,761,215 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]
C:\WINDOWS\System32\ogytiis.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]
2007-11-17 08:56 82496 --a------ C:\WINDOWS\system32\ilovqdov.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]
C:\WINDOWS\System32\jkklj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"b40c341c"="C:\WINDOWS\system32\pirtvbpe.dll" [2007-11-17 08:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]
khfgddb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-05-29 11:00 8704 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]
xxyvsss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]
rundll32.exe "C:\WINDOWS\system32\dwgehlpp.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\owinkndt.exe SKY003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\nvxbiufd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\abxnppdv.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]
C:\WINDOWS\System32\Oplmsb01.exe OKI B4250(PCL)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\sodvujgd.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]
C:\WINDOWS\pyzssagA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 13:07:07 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - scale2.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 09:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 9:28:41 - machine was rebooted
.
--- E O F ---
 
Hi, we'll continue :)

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\SYSTEM32\ilovqdov.dll
C:\WINDOWS\SYSTEM32\pirtvbpe.dll
C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\joiljwpj.dll
C:\WINDOWS\SYSTEM32\elyoqnri.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\pstshqpu.dll
C:\WINDOWS\SYSTEM32\qicifnqc.dll
C:\WINDOWS\SYSTEM32\qlqmlajv.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\jofkonww.dll
C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\System32\ogytiis.dll
C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\system32\pirtvbpe.dll
C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\dwgehlpp.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\owinkndt.exe 
C:\WINDOWS\system32\nvxbiufd.dll
C:\WINDOWS\system32\abxnppdv.dll
C:\WINDOWS\System32\Oplmsb01.exe 
C:\WINDOWS\system32\sodvujgd.dll
C:\WINDOWS\pyzssagA.exe

Folder::
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b40c341c"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Save this as "CFScript"

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Ok...I copied that text to notepad, named it as you said, and then drug the CFScript file onto the ComboFix icon as your picture shows. It started ComboFix but a window popped up and said that Combofix was out of date and to download the most recent version, and then uninstalled itself.
 
OK we'l use another tool then...

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
 
I had used VundoFix.exe and FxVMonde.exe while trying to remove this myself. Neither removed it, as S&D is still detecting it when I scan.

So here is the VundoFix log, the results from the first scan are there, also. Today it said that it didn't detect anything.


VundoFix V6.6.1

Checking Java version...

Scan started at 9:01:48 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.tmp
C:\windows\SYSTEM32\jbnubuql.dll
C:\WINDOWS\system32\mljgd.dll
C:\windows\SYSTEM32\ufpjhjeh.dll
C:\WINDOWS\system32\xxyvsss.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.tmp Has been deleted!

Attempting to delete C:\windows\SYSTEM32\jbnubuql.dll
C:\windows\SYSTEM32\jbnubuql.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ufpjhjeh.dll
C:\windows\SYSTEM32\ufpjhjeh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Scan started at 9:16:03 AM 11/14/2007

Listing files found while scanning....


VundoFix V6.6.1

Checking Java version...

Scan started at 9:20:16 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljgd.dll

VundoFix V6.6.1

Checking Java version...

Scan started at 9:43:17 AM 11/14/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Scan started at 1:50:56 PM 11/19/2007

Listing files found while scanning....

No infected files were found.
 
I cannot post a new Hijackthis log. It is still not saving the log files. I tried uninstalling it and deleting the .exe file manualling, then reinstalling, but it is still doing the same thing.
 
Ok we'll continue :)

Please remove any old versions of VundoFix.

Please download VundoFix.exe to your desktop
  • Open a new notepad window
  • Paste the list of files from the quote box below into the notepad window.
    C:\WINDOWS\SYSTEM32\ilovqdov.dll
    C:\WINDOWS\SYSTEM32\pirtvbpe.dll
    C:\WINDOWS\SYSTEM32\astavpis.dll
    C:\WINDOWS\SYSTEM32\joiljwpj.dll
    C:\WINDOWS\SYSTEM32\elyoqnri.dll
    C:\WINDOWS\SYSTEM32\rohhicav.dll
    C:\WINDOWS\SYSTEM32\ktckqvok.dll
    C:\WINDOWS\SYSTEM32\injpapnb.dll
    C:\WINDOWS\SYSTEM32\rqcgtxor.dll
    C:\WINDOWS\SYSTEM32\foxvrsch.dll
    C:\WINDOWS\SYSTEM32\ejjkrfef.dll
    C:\WINDOWS\SYSTEM32\kfcqscqn.dll
    C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
    C:\WINDOWS\SYSTEM32\lgalcdrs.dll
    C:\WINDOWS\SYSTEM32\udheqyim.dll
    C:\WINDOWS\SYSTEM32\pstshqpu.dll
    C:\WINDOWS\SYSTEM32\qicifnqc.dll
    C:\WINDOWS\SYSTEM32\qlqmlajv.dll
    C:\WINDOWS\SYSTEM32\yljovueq.dll
    C:\WINDOWS\SYSTEM32\glildbgh.dll
    C:\WINDOWS\SYSTEM32\agewokpr.dll
    C:\WINDOWS\SYSTEM32\jofkonww.dll
    C:\WINDOWS\SYSTEM32\jlkkj.bak1
    C:\WINDOWS\SYSTEM32\jlkkj.bak2
    C:\WINDOWS\SYSTEM32\jlkkj.ini2
    C:\WINDOWS\System32\ogytiis.dll
    C:\WINDOWS\system32\ilovqdov.dll
    C:\WINDOWS\System32\jkklj.dll
    C:\WINDOWS\system32\pirtvbpe.dll
    C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
    C:\WINDOWS\pss\TA_Start.lnkStartup
    C:\WINDOWS\system32\dwgehlpp.dll
    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\system32\owinkndt.exe
    C:\WINDOWS\system32\nvxbiufd.dll
    C:\WINDOWS\system32\abxnppdv.dll
    C:\WINDOWS\System32\Oplmsb01.exe
    C:\WINDOWS\system32\sodvujgd.dll
    C:\WINDOWS\pyzssagA.exe
    Click to expand...
  • Save this as vundofix.vft and Save as type "all files".
  • Double-click VundoFix.exe to run it.
  • Drag vundofix.vft onto the listbox (white box) of VundoFix.
  • Click the "Remove Vundo" button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b40c341c"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
Click to expand...
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart the computer.

Please post the contents of C:\vundofix.txt and a new HiJackThis log (if working now) in a reply to this thread.
 
Hijackthis is still not saving log file. From vundofix:

Beginning removal...

Attempting to delete C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\astavpis.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\system32\ilovqdov.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\SYSTEM32\jlkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\System32\Oplmsb01.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pirtvbpe.dll
C:\WINDOWS\system32\pirtvbpe.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
Okay let's try with an older version of HijacKThis...

Please post a HijackThis log to here:
  • Click here to download HijackThis.exe
  • Save HijackThis.exe to your desktop.
  • Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
  • Run HijackThis.exe
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
It is doing the same thing. I downloaded the version you linked, moved it into the new folder on the desktop which I named hijackthis, then opened the program. I clicked on "do a system scan and save a log file" and got the message "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" If I select yes it creates a new text document named hijackthis, but the document is blank and the file size is 0 KB. If I select no, it deletes this blank file and nothing is there. Then, I tried to run hijackthis by selecting "do a system scan only" and then after scanning, selecting "save log." This brings up the Save logfile window, I click save and I again get "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" and the same thing happens.
 
Another thing...as I have been trying to run hijackthis and save a log file, Norton Antivirus keeps popping up saying that its blocking Bloodhound.Exploit.6.
 
Logfile of HijackThis v1.99.1
Scan saved at 1:01:12 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WasteWORKS\wwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\scale2\Desktop\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Sonic\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
 
Ok good :)

Only a few leftovers. How is the computer running?

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
Restart the computer and run a new scan with HijackThis. The entries you just fixed should be gone. Let me know if they're not.

You can now remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Stay clean and be safe ;)
 
You must log in or register to reply here.
Back
Top