Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log, please help Diagnose


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jubilateur

Jubilateur

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 October 2005 - 05:31 AM

Here is my log. I just can't get rid of spysheriff...

Logfile of HijackThis v1.99.1
Scan saved at 06:23:12, on 2005-10-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\sysvcs.exe
C:\winstall.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame4.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Bob\Desktop\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: - {03a0cb83-e2db-46ec-81e8-a6be27e447ee} - C:\WINDOWS\System32\vi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: - {06886800-033c-4191-bf8c-9e98d2602f19} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {11a6ea24-88b7-4dc3-995d-ab02a7038bf7} - C:\WINDOWS\System32\jgrv.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\untitled.dll (file missing)
O2 - BHO: - {1fa06cd8-85e6-412d-b1f2-e8095dd1c72a} - C:\WINDOWS\System32\dfi.dll
O2 - BHO: - {24e6c405-ceb4-4ced-a423-c541bd18c0cc} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {25bc4c25-41c2-41aa-a3b3-d9ec95ac8f2a} - C:\WINDOWS\System32\dfbviv.dll
O2 - BHO: - {26b2137e-dbe4-42e6-bace-0ef6e0b05c5e} - C:\WINDOWS\System32\jgmn.dll
O2 - BHO: - {2d180804-54df-440c-acfa-f3aa0f89da79} - C:\WINDOWS\System32\n.dll
O2 - BHO: - {2fc05484-9a75-45b4-8a7a-d58f0be880f2} - C:\WINDOWS\System32\jgmn.dll
O2 - BHO: - {32cb9b1d-d545-4004-8d49-2d20be17297e} - C:\WINDOWS\System32\dfbdf.dll
O2 - BHO: - {3385f9ed-285c-438e-99c4-3182a4182460} - C:\WINDOWS\System32\jgmjgjgl.dll
O2 - BHO: - {349dfd9d-c7e6-4217-a567-551d00435ede} - C:\WINDOWS\System32\vi.dll
O2 - BHO: - {38a9c498-c4fc-41d6-8a5e-1457bedcc72c} - C:\WINDOWS\System32\dfbdfpt.dll
O2 - BHO: - {405e83bc-d11c-4e32-93cd-3493666edf38} - C:\WINDOWS\System32\jgpviv.dll
O2 - BHO: - {42ea3c44-61c3-44f4-93c9-17058bfb6e07} - C:\WINDOWS\System32\jgohn.dll
O2 - BHO: - {4e603fb1-2a76-471f-a2fd-fa238863b6f7} - C:\WINDOWS\System32\dfbdfdf.dll
O2 - BHO: - {4ee4e78b-5cd4-41e3-b6d9-63e3e8c11179} - C:\WINDOWS\System32\j.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: - {70279825-b4e1-4e6c-bf64-c13902f8fff8} - C:\WINDOWS\System32\jgp.dll
O2 - BHO: - {7f530aa6-f0c5-43ec-94a1-0dfba66a4688} - C:\WINDOWS\System32\jgqvivs.dll
O2 - BHO: - {809eaef4-e065-4f86-9c2b-cf322876b42c} - C:\WINDOWS\System32\phxp.dll
O2 - BHO: - {832184a0-8a5d-4e6b-8c07-3426fddd713d} - C:\WINDOWS\System32\pkznrpth.dll
O2 - BHO: - {8777c05e-a610-4149-9d1b-c6c5284eeec0} - C:\WINDOWS\System32\z.dll
O2 - BHO: - {889ec1c5-b9bf-494d-9264-07bbf1bdbb78} - C:\WINDOWS\System32\ph.dll
O2 - BHO: - {8b7de3b1-9972-4c6d-886f-1a5173afd4bf} - C:\WINDOWS\System32\viul.dll
O2 - BHO: - {8cd5f3a1-f553-4acb-b685-e75115d7ab78} - C:\WINDOWS\System32\jgrpc.dll
O2 - BHO: - {8eba89bc-1a63-488b-acd9-fc26070cffae} - C:\WINDOWS\System32\dfbvivil.dll
O2 - BHO: - {8f1585f1-283e-4002-80a3-c4a5e08fcf1d} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {90b4a9e1-4310-42f1-a1f2-6d61a7b905c0} - C:\WINDOWS\System32\dfbv.dll
O2 - BHO: - {959e439f-4a60-4c91-9e6b-1275b3367ee1} - C:\WINDOWS\System32\jgrvlhn.dll
O2 - BHO: - {9cac356e-2006-44a7-9dab-c8dc424618b4} - C:\WINDOWS\System32\phy.dll
O2 - BHO: PopupKillerIEDLL.CPopupKillerIEDLL - {A09790E7-DD00-4A83-B632-5B563423CFBB} - C:\Program Files\PopupKillerTracksEraser\PopupKillerIEDLL.dll
O2 - BHO: - {a2f62871-53b5-4cca-934c-ec8100d2e5b4} - C:\WINDOWS\System32\phjxv.dll
O2 - BHO: - {a83f9aec-ff72-450f-b4bd-1d75f3f159a3} - C:\WINDOWS\System32\dfb.dll
O2 - BHO: - {bae2123b-d9f6-44e1-9871-18616a9c562a} - C:\WINDOWS\System32\jgmjg.dll
O2 - BHO: - {bd92030d-9d67-48a8-b484-373d8874bd33} - C:\WINDOWS\System32\vit.dll
O2 - BHO: - {c413f35a-0972-4a99-a9bc-698270289873} - C:\WINDOWS\System32\jgq.dll
O2 - BHO: - {cb0cf353-dbdc-454b-a997-9ab42b356c9d} - C:\WINDOWS\System32\dfbdfdf.dll
O2 - BHO: - {dfe3b4f0-5d43-4c79-8452-0e92719a73fe} - C:\WINDOWS\System32\jgmjgjgd.dll
O2 - BHO: - {e3089557-3fea-4227-a85a-ab486af99812} - C:\WINDOWS\System32\dfbdfbmt.dll
O2 - BHO: - {ebd0ec46-330d-46bb-9a27-3af4a582916f} - C:\WINDOWS\System32\visbzr.dll
O2 - BHO: - {ebe8d81b-3761-4cac-bb03-bb1f600eb49d} - C:\WINDOWS\System32\jgrvihn.dll
O2 - BHO: - {f0f9e528-5ee2-409b-a96d-a5fa0155421b} - C:\WINDOWS\System32\l.dll
O2 - BHO: - {f40dcf8c-4dec-4b19-a163-338c82763b3a} - C:\WINDOWS\System32\phiztz.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSetupPatch] C:\PROGRA~1\Creative\CTSetup\CtSetup.Exe -S -P -3
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_201755] C:\WINDOWS\System32\ActiveScan\pavdr.exe 201755
O4 - HKLM\..\RunOnce: [Panda_cleaner_201752] C:\WINDOWS\System32\ActiveScan\pavdr.exe 201752
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aeao] "C:\Program Files\draa\stal.exe" -vt mt
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{142B6BFD-7140-40AA-B28E-5FD77ABE2D6F}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B93DBC8-A23C-4D29-BBB2-A5A56287D6CF}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD3FBAE-EC75-48CD-AEB7-C4B5F306323D}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1DBBFD0-9EC2-47E4-89C7-08C200444727}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF62FCE-38A7-43EE-BEA6-96AAE4C5C7C4}: NameServer = 85.255.113.99 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDB7F9D-C0D8-4BC4-A0D2-634E756597AF}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll
O21 - SSODL: Norton Ghost 2001 - {BC8A81F7-4FD1-7FA1-75B5-6485F00628BE} - c:\program files\symantec\norton ghost 2001\wwdbl6.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Thanks for you time

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 PM

Posted 06 October 2005 - 07:26 AM

Hello,
What a nasty log, let's get fixed that asap!!

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please uninstall PartPoker and reboot.

You also have a nasty infection that won't go away just like that, so let's get rid if that one first..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\System32\kernels32.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

After reboot...

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* I see you already have Ewido installed...
Update the definitions to the newest files. Do NOT run a scan yet.

* If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: - {03a0cb83-e2db-46ec-81e8-a6be27e447ee} - C:\WINDOWS\System32\vi.dll
O2 - BHO: - {06886800-033c-4191-bf8c-9e98d2602f19} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {11a6ea24-88b7-4dc3-995d-ab02a7038bf7} - C:\WINDOWS\System32\jgrv.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\untitled.dll (file missing)
O2 - BHO: - {1fa06cd8-85e6-412d-b1f2-e8095dd1c72a} - C:\WINDOWS\System32\dfi.dll
O2 - BHO: - {24e6c405-ceb4-4ced-a423-c541bd18c0cc} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {25bc4c25-41c2-41aa-a3b3-d9ec95ac8f2a} - C:\WINDOWS\System32\dfbviv.dll
O2 - BHO: - {26b2137e-dbe4-42e6-bace-0ef6e0b05c5e} - C:\WINDOWS\System32\jgmn.dll
O2 - BHO: - {2d180804-54df-440c-acfa-f3aa0f89da79} - C:\WINDOWS\System32\n.dll
O2 - BHO: - {2fc05484-9a75-45b4-8a7a-d58f0be880f2} - C:\WINDOWS\System32\jgmn.dll
O2 - BHO: - {32cb9b1d-d545-4004-8d49-2d20be17297e} - C:\WINDOWS\System32\dfbdf.dll
O2 - BHO: - {3385f9ed-285c-438e-99c4-3182a4182460} - C:\WINDOWS\System32\jgmjgjgl.dll
O2 - BHO: - {349dfd9d-c7e6-4217-a567-551d00435ede} - C:\WINDOWS\System32\vi.dll
O2 - BHO: - {38a9c498-c4fc-41d6-8a5e-1457bedcc72c} - C:\WINDOWS\System32\dfbdfpt.dll
O2 - BHO: - {405e83bc-d11c-4e32-93cd-3493666edf38} - C:\WINDOWS\System32\jgpviv.dll
O2 - BHO: - {42ea3c44-61c3-44f4-93c9-17058bfb6e07} - C:\WINDOWS\System32\jgohn.dll
O2 - BHO: - {4e603fb1-2a76-471f-a2fd-fa238863b6f7} - C:\WINDOWS\System32\dfbdfdf.dll
O2 - BHO: - {4ee4e78b-5cd4-41e3-b6d9-63e3e8c11179} - C:\WINDOWS\System32\j.dll
O2 - BHO: - {70279825-b4e1-4e6c-bf64-c13902f8fff8} - C:\WINDOWS\System32\jgp.dll
O2 - BHO: - {7f530aa6-f0c5-43ec-94a1-0dfba66a4688} - C:\WINDOWS\System32\jgqvivs.dll
O2 - BHO: - {809eaef4-e065-4f86-9c2b-cf322876b42c} - C:\WINDOWS\System32\phxp.dll
O2 - BHO: - {832184a0-8a5d-4e6b-8c07-3426fddd713d} - C:\WINDOWS\System32\pkznrpth.dll
O2 - BHO: - {8777c05e-a610-4149-9d1b-c6c5284eeec0} - C:\WINDOWS\System32\z.dll
O2 - BHO: - {889ec1c5-b9bf-494d-9264-07bbf1bdbb78} - C:\WINDOWS\System32\ph.dll
O2 - BHO: - {8b7de3b1-9972-4c6d-886f-1a5173afd4bf} - C:\WINDOWS\System32\viul.dll
O2 - BHO: - {8cd5f3a1-f553-4acb-b685-e75115d7ab78} - C:\WINDOWS\System32\jgrpc.dll
O2 - BHO: - {8eba89bc-1a63-488b-acd9-fc26070cffae} - C:\WINDOWS\System32\dfbvivil.dll
O2 - BHO: - {8f1585f1-283e-4002-80a3-c4a5e08fcf1d} - C:\WINDOWS\System32\jgmjgj.dll
O2 - BHO: - {90b4a9e1-4310-42f1-a1f2-6d61a7b905c0} - C:\WINDOWS\System32\dfbv.dll
O2 - BHO: - {959e439f-4a60-4c91-9e6b-1275b3367ee1} - C:\WINDOWS\System32\jgrvlhn.dll
O2 - BHO: - {9cac356e-2006-44a7-9dab-c8dc424618b4} - C:\WINDOWS\System32\phy.dll
O2 - BHO: - {a2f62871-53b5-4cca-934c-ec8100d2e5b4} - C:\WINDOWS\System32\phjxv.dll
O2 - BHO: - {a83f9aec-ff72-450f-b4bd-1d75f3f159a3} - C:\WINDOWS\System32\dfb.dll
O2 - BHO: - {bae2123b-d9f6-44e1-9871-18616a9c562a} - C:\WINDOWS\System32\jgmjg.dll
O2 - BHO: - {bd92030d-9d67-48a8-b484-373d8874bd33} - C:\WINDOWS\System32\vit.dll
O2 - BHO: - {c413f35a-0972-4a99-a9bc-698270289873} - C:\WINDOWS\System32\jgq.dll
O2 - BHO: - {cb0cf353-dbdc-454b-a997-9ab42b356c9d} - C:\WINDOWS\System32\dfbdfdf.dll
O2 - BHO: - {dfe3b4f0-5d43-4c79-8452-0e92719a73fe} - C:\WINDOWS\System32\jgmjgjgd.dll
O2 - BHO: - {e3089557-3fea-4227-a85a-ab486af99812} - C:\WINDOWS\System32\dfbdfbmt.dll
O2 - BHO: - {ebd0ec46-330d-46bb-9a27-3af4a582916f} - C:\WINDOWS\System32\visbzr.dll
O2 - BHO: - {ebe8d81b-3761-4cac-bb03-bb1f600eb49d} - C:\WINDOWS\System32\jgrvihn.dll
O2 - BHO: - {f0f9e528-5ee2-409b-a96d-a5fa0155421b} - C:\WINDOWS\System32\l.dll
O2 - BHO: - {f40dcf8c-4dec-4b19-a163-338c82763b3a} - C:\WINDOWS\System32\phiztz.dll
O4 - HKLM\..\Run: [CTSetupPatch] C:\PROGRA~1\Creative\CTSetup\CtSetup.Exe -S -P -3
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Aeao] "C:\Program Files\draa\stal.exe" -vt mt
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{142B6BFD-7140-40AA-B28E-5FD77ABE2D6F}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B93DBC8-A23C-4D29-BBB2-A5A56287D6CF}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD3FBAE-EC75-48CD-AEB7-C4B5F306323D}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1DBBFD0-9EC2-47E4-89C7-08C200444727}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF62FCE-38A7-43EE-BEA6-96AAE4C5C7C4}: NameServer = 85.255.113.99 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDB7F9D-C0D8-4BC4-A0D2-634E756597AF}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D16B7F8-79BB-4386-88D4-1167A3633B71}: NameServer = 85.255.113.99,85.255.112.24
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll
O21 - SSODL: Norton Ghost 2001 - {BC8A81F7-4FD1-7FA1-75B5-6485F00628BE} - c:\program files\symantec\norton ghost 2001\wwdbl6.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\WINDOWS\System32\sysvcs.exe
C:\winstall.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame6.exe
C:\Program Files\draa <== folder
C:\WINDOWS\System32\msdhmd.dll

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open Ad-aware and do a full scan. Remove all it finds.

* Go to start > run and copy and paste next command : ipconfig /flushdns Click OK

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an online scan with Kaspersky WebScanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

If there are connection problems:
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:58 PM

Posted 17 October 2005 - 04:08 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users