Popups that keep coming and cant remove

Status
Not open for further replies.
I understand your frustration and please know you are not alone. Right now there are countless folks infected with this new version of the junk, the forums are full of it. Here is one developing a bit beyond yours that may help us.
http://forums.spybot.info/showthread.php?t=20241
Understand these hackers (criminals) are doing all they can to keep us from removing the junk, they constantly change how they infect folks so there is no correct way to remove the junk, it is constantly trial and error. Follow the instructions I just posted.

Thanks...Phil
 
VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:43:03 p.m. 21/11/2007

Listing files found while scanning....

C:\windows\system32\ljjggdd.dll

Beginning removal...

Attempting to delete C:\windows\system32\ljjggdd.dll
C:\windows\system32\ljjggdd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\ljjggdd.dll
C:\windows\system32\ljjggdd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:05:17 p.m. 21/11/2007

Listing files found while scanning....

C:\windows\system32\ljjggdd.dll

Beginning removal...

Attempting to delete C:\windows\system32\ljjggdd.dll
C:\windows\system32\ljjggdd.dll Could not be deleted.

Attempting to delete C:\windows\system32\ljjggdd.dll
C:\windows\system32\ljjggdd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:01 p.m., on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\mrsb.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B2A18BD-E92E-47BE-9955-6C2DF1D32BD1} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: {363097a2-eeb7-11eb-04f4-0f3432aab126} - {621baa23-43f0-4f40-be11-7bee2a790363} - C:\WINDOWS\system32\chxphqbg.dll
O2 - BHO: (no name) - {676E12A7-50C5-4CE6-9265-15E993B61D72} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7765 bytes
 
Thanks for the burst of enthusiam Phil lol I havent quite reached the "frustrated out of my mind" stage just yet. Its tedious work and I think I have the easier end of the stick. I'll keep at it though.The vundo update didn't help us moving that one file. Hmmm...
 
Just ran a full in depth scan of C and D drives with Eset. Here is the following log from that scan. I then followed up with vundofix and found nothing. What do you recommend I do now?

Scanning Log
NOD32 version 2673 (20071120) NT
Checking CRC of NOD32.EXE: Status OK
Operating memory is OK.
Error occurred while scanning MBR sector of the 2. physical disk. Error reading sector.
Date: 21.11.2007 Time: 21:10:44
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; D:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\JSYWW1GW\css4[1] - probably a variant of Win32/Adware.Virtumonde.FP application
C:\Documents and Settings\Compaq_Administrator\My Documents\Microsoft Office XP\FILES\OSP\1033\IE5\EN\IENT_S1.CAB »CAB »IENT_1.CAB »CAB »MSHTMLED.DLL - next archive volume not found
C:\Documents and Settings\Compaq_Administrator\My Documents\Microsoft Office XP\FILES\OSP\1033\IE5\EN\IE_S1.CAB »CAB »IE_1.CAB »CAB »SHDOCVW.DLL - next archive volume not found
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP1\A0001014.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP1\A0001132.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP10\A0001697.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP12\A0001808.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP14\A0002231.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP15\A0002271.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP15\A0002272.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP16\A0002289.dll - a variant of Win32/BHO.G trojan
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP16\A0002291.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP16\A0002292.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP27\A0002479.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP27\A0002480.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP27\A0002481.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002654.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002655.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002656.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002657.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002658.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002659.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002660.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002661.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002662.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002663.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002664.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002666.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002667.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002668.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP42\A0002669.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP43\A0002786.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP45\A0002813.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP45\A0002944.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP47\A0003127.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP47\A0003158.dll - probably a variant of Win32/Adware.Virtumonde.FP application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP50\A0003262.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP50\A0003263.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP50\A0003265.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP50\A0003266.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP51\A0003305.dll - Win32/Adware.Virtumonde application - deleted
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP52\A0003337.dll - a variant of Win32/BHO.G trojan
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP53\A0003460.dll - probably a variant of Win32/Genetik trojan
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001225.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001226.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001227.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001228.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001229.dll - a variant of Win32/Adware.Virtumonde application
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP8\A0001249.dll - a variant of Win32/BHO.G trojan
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP9\A0001681.dll - a variant of Win32/Adware.Virtumonde application
C:\WINDOWS\SoftwareDistribution\EventCache\{B23EAFF6-445C-4841-8121-6923E8818CD2}.bin - error opening (File locked) [4]
C:\WINDOWS\system32\chxphqbg.dll - a variant of Win32/BHO.G trojan
C:\WINDOWS\system32\eyfbitiv.dll - Win32/Adware.Virtumonde application - deleted
C:\WINDOWS\system32\pobxykqw.dll - a variant of Win32/BHO.G trojan
C:\WINDOWS\system32\ysdtknjd.dll - a variant of Win32/BHO.G trojan
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
Number of scanned files: 404690
Number of threats found: 52
Number of files cleaned: 52
Time of completion: 21:47:39 Total scanning time: 2215 sec (00:36:55)
Notes:
[4] File cannot be opened. It may be in use by another application or operating system.
 
And the new HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:47 p.m., on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\mrsb.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B2A18BD-E92E-47BE-9955-6C2DF1D32BD1} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: {363097a2-eeb7-11eb-04f4-0f3432aab126} - {621baa23-43f0-4f40-be11-7bee2a790363} - C:\WINDOWS\system32\chxphqbg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B5494CF3-F00B-41CB-BBA2-C7BBCD17A0EF} - C:\WINDOWS\system32\ddccd.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7690 bytes
 
The ESET scan shows a few Vundo files we can use, for your information:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
http://forums.spybot.info/showthread.php?p=103253#post103253 (post#2)

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
http://www.spybot.info/en/faq/46.html
http://www.safer-networking.org/en/faq/index.html

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
You have moved bad stuff from the Spybot san to "Recovery" which is the Spybot version of quarantine. It will stay in there until you clean the junk out.
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder (a few old files will not delete, but we are interested in junk from the last month when the infections occured)

This is infected System Restore files and they can not harm you where they are. DO NOT do a SR and we will clean those last so we only need tyo do it once.
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP1\A0001014.dll - a variant of Win32/Adware.Virtumonde application


These are bad active Vundo files we will need to remove that are in this scan, we will use these with Vundofix shortly.
C:\WINDOWS\system32\chxphqbg.dll <<< notice a missing file in the HJT log so this one may be gone.
C:\WINDOWS\system32\eyfbitiv.dll
C:\WINDOWS\system32\pobxykqw.dll
C:\WINDOWS\system32\ysdtknjd.dll
Others may be gone also, removed by us earlier, if they are not there, Vundofix will tell us.

Please read and follow the directions carefully:

Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.

These are the files to add in red

C:\WINDOWS\system32\chxphqbg.dll
C:\WINDOWS\system32\eyfbitiv.dll
C:\WINDOWS\system32\pobxykqw.dll
C:\WINDOWS\system32\ysdtknjd.dll
C:\windows\system32\ljjggdd.dll
C:\WINDOWS\system32\ddccd.dll


1) Make sure all files and folder are still visible

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {0B2A18BD-E92E-47BE-9955-6C2DF1D32BD1} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: {363097a2-eeb7-11eb-04f4-0f3432aab126} - {621baa23-43f0-4f40-be11-7bee2a790363} - C:\WINDOWS\system32\chxphqbg.dll (file missing)
O2 - BHO: (no name) - {B5494CF3-F00B-41CB-BBA2-C7BBCD17A0EF} - C:\WINDOWS\system32\ddccd.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\windows\system32\ljjggdd.dll <<< look for this one, if there, try to delete it. If you can not, boot to safe mode and delete it there.

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log with some feedback. That file is probably what is putting the junk back, if you looked at the link from the other member, we had a heck of a time until he deleted the file in safe mode.
http://spyware-free.us/tutorials/safemode/

Thanks...Phil
 
Last edited:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:06 p.m., on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\mrsb.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7265 bytes
 
I think this time it went better? Added files to vundofix and didn't come into any hiccups. if anything I suspect the files I added to remove vundo were no longer detected. Searched in system32 for ljjggdd.dll file and wasnt there anymore. Does it look better from the HJT log?
 
Thanks for returning your information and the feedback, in case I have not mentioned this before:

C:\Program Files\Java\jre1.6.0_02\ <<< update Java and make sure all old versions are uninsalled in Add Remove programs.
http://forums.spybot.info/showpost.php?p=12880&postcount=2

This HJT log is clean:bigthumb: let's look at a Kaspersky scan to be sure, please use these settings.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
 
Ok here you go..

Friday, November 23, 2007 3:15:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 435325
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 69927
Number of viruses found 5
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 01:00:08

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\cache\FND21.NFI Infected: Trojan.Win32.Pakes.fr skipped
C:\Program Files\ESET\cache\FND25.NFI Infected: Trojan.Win32.Pakes.sc skipped
C:\Program Files\ESET\infected\2NQ420BA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\GGBEZRBA.NQF Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\ESET\infected\LOHHFCCA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\OPJUWWAA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\PIGZHSCA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\VGP5OMAA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\W1ARXSDA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP50\A0003244.exe Infected: Trojan-Proxy.Win32.Agent.kj skipped
C:\System Volume Information\_restore{FDD9614E-CF40-43E1-9C20-263B0BDC362F}\RP59\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3B22C4E1-1E2F-4FFD-97DE-AFAD8B1F2728}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F4EC1100-6962-403A-8BEB-33E41E6582FF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
 
Thanks for returning your scan results: Kaspersky Online Scanner
Number of infected objects 10

You have nine (9) items being stored in your antivirus program, delete those:
C:\Program Files\ESET\cache\ <<< delete the contents
C:\Program Files\ESET\infected\ <<< delete the contents

Once that is done, restart and empty the Recycle Bin on your Desktop.

One (1) item is in an infected System Restore file. Follow these instructions.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

If you followed the direction the next Kaspersky scan will be clean and I DO NOT need to see a clean scan results.

Thanks...Phil
 
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Status
Not open for further replies.
Back
Top