I want you to run VundoFix one more time. Then restart your computer.
Next run HijackThis and place a checkmark by the following entries if they still exist:
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\mljihfe.dll
O2 - BHO: (no name) - {80781C9F-8B82-4AD9-860B-17A87421A9BA} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {BBBA4559-3167-4289-AD1A-AD95C6127DB4} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {D707DB5A-08D3-4A98-BC38-DD4FB6906982} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O20 - Winlogon Notify: mljihfe - C:\WINDOWS\SYSTEM32\mljihfe.dll
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\SYSTEM32\winuns32.dll
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer again.
Download Avenger from here:
Swandog46’s Public Tools Page
Open the program. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:
Files to delete:
C:\WINDOWS\system32\mljihfe.dll
C:\WINDOWS\SYSTEM32\mljihfe.dll
C:\WINDOWS\SYSTEM32\winuns32.dll
and click 'Done'
Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt, as well as a new HijackThis log.
 |
 |
 |
 |
|
|||||||
| [Fixed] Hijackthis! Logs - [Fixed] Multiple pop ups, freezes my pc sometimes posted in the Security & Safety forums; I want you to run VundoFix one more time. Then restart your computer. Next run HijackThis and place a checkmark by the following entries if they still exist: O2 - ... |
|
07-22-2007
|
#15 |
|
Senior Security Analyst
 
Join Date: Jun 2006
Location: Singapore
Posts: 5,176 PC Experience: PC Guru
|
|
|
|
| Advertisement - Register to Remove | |
|
|
07-23-2007
|
#16 |
|
Bronze Member
 Join Date: Jul 2007
Posts: 46
|
here is the Avenger report:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Service s\rvcajkqo ******************* Script file located at: \??\C:\WINDOWS\system32\jojnsytd.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\mljihfe.dll deleted successfully. File C:\WINDOWS\SYSTEM32\mljihfe.dll not found! Deletion of file C:\WINDOWS\SYSTEM32\mljihfe.dll failed! Could not process line: C:\WINDOWS\SYSTEM32\mljihfe.dll Status: 0xc0000034 File C:\WINDOWS\SYSTEM32\winuns32.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. |
|
|
|
|
07-23-2007
|
#17 |
|
Bronze Member
Join Date: Jul 2007
Posts: 46
|
here is a fresh HJTlog:
Logfile of HijackThis v1.99.1 Scan saved at 9:11:07 AM, on 7/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=local host:8118;socks=localhost:9050 O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe |
|
|
|
|
07-24-2007
|
#18 |
|
Senior Security Analyst
Join Date: Jun 2006
Location: Singapore
Posts: 5,176 PC Experience: PC Guru
|
Rename hijackthis.exe to rename.exe.
Then run HijackThis (now with the new name) again. Do you see any 02 entries listed? |
|
|
|
|
07-25-2007
|
#19 |
|
Bronze Member
Join Date: Jul 2007
Posts: 46
|
Yes i do, here is a fresh hijackthis scan,
Logfile of HijackThis v1.99.1 Scan saved at 8:08:15 PM, on 7/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe C:\Program Files\Norton AntiVirus\NAVW32.exe C:\Program Files\Hijackthis\rename.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=local host:8118;socks=localhost:9050 O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\mljihfe.dll (file missing) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\prkfbnrw.dll O2 - BHO: (no name) - {96251FD4-72AA-435B-960C-977DF5592C38} - C:\WINDOWS\system32\mljjk.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\cvtcxilb.dll",forkonce O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: mljihfe - mljihfe.dll (file missing) O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe |
|
|
|
|
07-25-2007
|
#20 |
|
Senior Security Analyst
Join Date: Jun 2006
Location: Singapore
Posts: 5,176 PC Experience: PC Guru
|
The Vundo trojan is really persistent...
1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. |
|
|
|
|
07-25-2007
|
#21 |
|
Bronze Member
Join Date: Jul 2007
Posts: 46
|
Here is the COMBOFIX.exe log:
"Compaq_Owner" - 2007-07-25 8:01:20 - ComboFix 07-07-23.6 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) ))))) C:\WINDOWS\system32\ayrxngtt.dll C:\WINDOWS\system32\prkfbnrw.dll C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\kjjlm.ini C:\WINDOWS\system32\kjjlm.ini2 C:\WINDOWS\system32\kjjlm.tmp C:\WINDOWS\system32\ilkkj.bak1 C:\WINDOWS\system32\ilkkj.ini C:\WINDOWS\system32\ilkkj.tmp C:\WINDOWS\system32\gjjlm.bak1 C:\WINDOWS\system32\gjjlm.bak2 C:\WINDOWS\system32\gjjlm.ini C:\WINDOWS\system32\gjjlm.ini2 C:\WINDOWS\system32\gjjlm.tmp C:\WINDOWS\system32\kjjlm.bak1 C:\WINDOWS\system32\kjjlm.bak2 C:\WINDOWS\system32\kjjlm.ini C:\WINDOWS\system32\kjjlm.ini2 C:\WINDOWS\system32\kjjlm.tmp C:\WINDOWS\system32\qpqss.bak1 C:\WINDOWS\system32\qpqss.bak2 C:\WINDOWS\system32\qpqss.ini2 C:\WINDOWS\system32\qpqss.tmp C:\WINDOWS\system32\rrutv.bak1 C:\WINDOWS\system32\rrutv.bak2 C:\WINDOWS\system32\rrutv.ini2 C:\WINDOWS\system32\rrutv.tmp C:\WINDOWS\system32\mljjk.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\windows C:\Program Files\Common Files\windows\request.html C:\Program Files\winsupdater C:\Program Files\winupdates C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\netstat.com C:\WINDOWS\system32\ping.com C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\tasklist.com C:\WINDOWS\system32\tracert.com ((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 ))))))))))))))))))))))))))))))) 2007-07-25 07:59 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-25 07:49 126,016 --a------ C:\WINDOWS\system32\aqqtyqfu.dll 2007-07-20 22:34 <DIR> d-------- C:\VundoFix Backups 2007-07-18 22:53 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-07-17 14:57 4,332 --a------ C:\WINDOWS\system32\tmp.reg 2007-07-17 14:56 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-07-17 14:56 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-07-17 14:56 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-07-16 19:26 <DIR> d-------- C:\Program Files\Vidalia 2007-07-16 19:26 <DIR> d-------- C:\Program Files\Privoxy 2007-07-16 19:26 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Vidalia 2007-07-16 19:24 <DIR> d-------- C:\Program Files\Tor 2007-07-16 19:24 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Tor 2007-07-15 16:41 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys 2007-07-13 18:11 <DIR> d-------- C:\Program Files\Norton AntiVirus 2007-07-13 18:09 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-07-13 18:09 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-07-13 17:54 <DIR> d-------- C:\Program Files\PowerISO 2007-07-06 23:16 1,480 --a------ C:\WINDOWS\mozver.dat 2007-07-06 23:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-07-06 22:57 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Talkback 2007-07-05 16:18 <DIR> d-------- C:\(Ps2) Pro Evolution Soccer 6 - PAL - ENGLISH (Online Fix With DNAS !!!) 2007-07-02 14:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-07-02 14:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) 2007-07-19 01:35:49 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-17 09:27:27 -------- d-----w C:\Program Files\mIRC 2007-07-14 00:02:17 -------- d-----w C:\Program Files\Symantec 2007-07-14 00:02:09 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-07-14 00:02:09 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-07-13 22:36:14 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Symantec 2007-07-12 04:36:26 -------- d-----w C:\Program Files\DivX 2007-07-05 23:14:55 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\uTorrent 2007-07-04 11:59:01 -------- d-----w C:\Program Files\BitComet 2007-06-21 06:24:18 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Google 2007-06-21 06:23:53 -------- d-----w C:\Program Files\Google 2007-06-21 06:23:52 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-19 15:42:52 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\FileMaker 2007-06-16 04:32:13 -------- d-----w C:\Program Files\AIM6 2007-06-13 01:24:10 -------- d-----w C:\Program Files\Live_TV 2007-06-01 00:53:59 -------- d-----w C:\Program Files\ZillaTube 2007-05-29 04:55:43 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Yahoo! 2007-05-28 05:36:29 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\gtk-2.0 2007-05-28 05:11:39 -------- d-----w C:\Program Files\GIMP-2.0 2007-05-28 05:09:59 -------- d-----w C:\Program Files\Common Files\GTK 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-02-02 02:14:24 1,188 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\wklnhst.dat 2006-01-27 23:24:29 560 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\ViewerApp.dat 2005-10-09 16:41:38 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30] "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [2006-07-21 17:19] "VTTimer"="VTTimer.exe" [] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 00:31] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "SiSPower"="SiSPower.dll" [2004-09-24 11:49 C:\WINDOWS\system32\SiSPower.dll] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 01:01] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwat cher.exe" [2004-10-14 23:54] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-04-17 21:41] "IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "P2kAutostart"="" [] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00] "Aim6"="" [] C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-10-22 01:11:26] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihfe] mljihfe.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32] winuns32.dll R1 AmdK8;AMD Athlon64 Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrb sdrv.sys R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.s ys R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.S YS R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc8021x.sys R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Pro gram Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 gbalink;GBA Link Driver (gbalink.sys);C:\WINDOWS\system32\Drivers\gbalink. sys S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SY S S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.S YS S3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys S3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.s ys S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ed1b65ec-ccd6-11db-9788-0011d8232512}] Auto\command- pagefile.pif AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif Contents of the 'Scheduled Tasks' folder 2007-07-14 01:00:21 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job ************************************************** ************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-25 08:12:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ Completion time: 2007-07-25 8:15:06 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-25 08:14 --- E O F --- |
|
|
|
|
| Bookmarks |
| Tags |
| fixed, freezes, multiple, pc, pop, ups |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
