Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.metajuan+trojan.virtumonde +virtumonde.dll=good Times


  • Please log in to reply
6 replies to this topic

#1 moomoo2u

moomoo2u

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 14 February 2008 - 12:23 PM

Hey guys first post here.

I was recently infected with metajuan and virtumonde.dll

Spybot found virtumonde & deleted most of it but froze when trying to remove one dll

So i got vundofix and ran it and it did the same thing but could not delete mljiigh.dll so it rebooted. Every time it reboots it either doesnt show the .dll under files to delte or is unable to remove it and asks me to restart again.

I've tried in safemode, I've tried using Norton, Nod32 spyware removal, vundobgone, atfcleaner etc.

I also have problems with hardware interrupts taking up 90-100% of my RAM the IRQ for my video card is conflicting with network adapters and other things (might be normal since i dont have many slots) but this started when the vundo appeared so i think its probably related.

I currently cannot access my computer in any mode beside Safe Mode w/ or w/o networking, I have 4 bit color in normal mode and all it does is display my desktop without icons and freeze completely

Rundll32.exe is also behaving strangely and launching browser helper objects which spybot blocks thankfully. Anyway heres my Hijack This! log (from safemode): Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:04 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5023] command /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3393] cmd /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3273] command /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1410] cmd /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6891] command /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD927] cmd /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179102050295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179102039998
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6252 bytes

If you fix this mess I will praise you as a god.

-moomoo2u

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 February 2008 - 03:46 PM

Hi moomoo2u and Welcome to the Bleeping Computer!

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#3 moomoo2u

moomoo2u
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  

Posted 14 February 2008 - 05:01 PM

Malware Log (it seems to cut out halfway through the removal process so no auto-logfile is saved, what you're seeing are the 2 logfiles I saved before i hit remove selected items after the scan, remember i am in safe mode: \

LOG 1:

Malwarebytes' Anti-Malware 1.03
Database version: 361

Scan type: Quick Scan
Objects scanned: 33727
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\awtsq.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{23d44bcf-aa7a-41d6-8905-e808f16322ef} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{23d44bcf-aa7a-41d6-8905-e808f16322ef} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\awtqo.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\oqtwa.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\oqtwa.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\czhclutr.dllbox (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\geebx.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\xbeeg.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\xbeeg.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\hvsnjtey.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\yetjnsvh.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\hyjumrtw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\wtrmujyh.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\lipqeduu.dllbox (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\lipqeduu.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\awtsq.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Main\Desktop\Help and Support Center.lnk (Rogue.Link) -> No action taken.


LOG 2:

Malwarebytes' Anti-Malware 1.03
Database version: 361

Scan type: Quick Scan
Objects scanned: 34545
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\awtsq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\jfrecclr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\mfrmyagd.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944a230c-9e3a-42a2-8885-72b38a168812} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{944a230c-9e3a-42a2-8885-72b38a168812} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{23d44bcf-aa7a-41d6-8905-e808f16322ef} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{23d44bcf-aa7a-41d6-8905-e808f16322ef} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtsq.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtsq.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\awtqo.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\oqtwa.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\oqtwa.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\awtsq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\qstwa.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\qstwa.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\czhclutr.dllbox (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\geebx.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\xbeeg.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\xbeeg.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\hvsnjtey.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\yetjnsvh.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\hyjumrtw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\wtrmujyh.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\jfrecclr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\rlccerfj.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\lipqeduu.dllbox (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\lipqeduu.dll_old (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\mfrmyagd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\mfrmyagd.dllbox (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Main\Desktop\Help and Support Center.lnk (Rogue.Link) -> No action taken.




Hijack This! log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:49 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\sdloader.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [f89a5f8b] rundll32.exe "C:\WINDOWS\system32\jfrecclr.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5023] command /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3393] cmd /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA319] command /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6771] cmd /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9569] command /c del "C:\WINDOWS\SYSTEM32\geebx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8694] cmd /c del "C:\WINDOWS\SYSTEM32\geebx.dll_old"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3273] command /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1410] cmd /c del "C:\WINDOWS\SYSTEM32\awtqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6891] command /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD927] cmd /c del "C:\WINDOWS\SYSTEM32\ayqjtvrf.dll_old"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179102050295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179102039998
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6632 bytes


None of them seem to be finding mljiigh.dll which i know to be infected...

hope this helps!

#4 moomoo2u

moomoo2u
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 14 February 2008 - 05:09 PM

also when things tell me to reboot should i bring the comp into safemode? or should I let it try to enter my normal setup (freezes upon loading)

#5 moomoo2u

moomoo2u
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 14 February 2008 - 08:49 PM

update!

I seem to have removed all the trojans (hopefully) none of my scans reveal anything in safe mode, and I am now able to enter my computer normally.

However i'm still in 4bit color and my computer still freezes if i attempt to do anything involving explorer...

#6 moomoo2u

moomoo2u
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 15 February 2008 - 12:29 AM

fixed everything

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 February 2008 - 05:38 AM

Make sure that everything is checked, and click Remove Selected.

It would appear you skipped this part?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users