Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Required Please. Random Music And Promotion Sounds And Popups (for Winanti Virus Pro 2007)


  • This topic is locked This topic is locked
57 replies to this topic

#1 Twilight.

Twilight.

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 25 April 2007 - 10:13 PM

Hi, for the past week or so, my speakers just start playing this week rock kind of music with this strange guy talking or there would be this sound of a girl trying to sell a product (like the ones on tv) also i've been getting popups for winanti virus pro 2007. Any help would be greatly appreciated, thanks.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:05 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\ie_updater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\wnset.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bwbkscxb.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {00330010-0000-0000-0000-000020060010} - http://207.234.185.217/ABoxInst_int22.exe
O16 - DPF: {05574F48-FEE1-4A0A-9013-B8A85C7C6CCE} - http://www.muiegaozsicur.com/ocx/can_ver20a.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137018220593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151203866890
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Once again, thanks.

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 29 April 2007 - 10:34 AM

Hello Twilight., and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 April 2007 - 10:45 AM

Ah ok thanks so much htv8

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 30 April 2007 - 06:38 PM

IMPORTANT
You have a Troj/Bckdr-QGB trojan backdoor infection. Troj/Bckdr-QGB is a backdoor trojan for the Windows platform. It includes backdoor trojan functionality to access the Internet and communicate with a remote server via HTTP. It spreads to network shares with weak passwords as a result of the backdoor trojan element receiving the appropriate command from a remote user.
In short: This piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.

Due to the status of some of the files you have on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the Internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable - for email, banks, eBay, forums, etc. (Do not change passwords or do any financial transactions while using the infected computer because the attacker may get the new passwords and transaction information.) It would then be wise to contact your financial institutions to apprise them of your situation. To protect your information that may have been compromised, I recommend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.


IMPORTANT
It is important that your computer has an antivirus software running on your machine.
Your log doesn't show an antivirus software running. This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it.
You need to install an antivirus program as soon as you can and run a complete scan of the computer. Please download and install one of these good (and free) products:
- Antivir
- Avast Free
- AVG Free
- Bitdefender Free

Install one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
NOTE: Never install more than one antivirus program on your system. Several together can give problems and decrease the reliability of it seriously.

IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm
- Comodo Free Firewall
- Outpost Firewall Free
- Sunbelt Personal Firewall (= Kerio) - learn more here

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.

Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding.

Step #1: renaming HijackThis
Navigate to C:\Program Files\Hijackthis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter.

Step #2: HijackThis scan
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 30 April 2007 - 10:46 PM

Hi,

Here is my new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 10:41:19 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\fluffybunny.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: C:\WINDOWS\system32\lfhs76ghf.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\lfhs76ghf.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {00330010-0000-0000-0000-000020060010} - http://207.234.185.217/ABoxInst_int22.exe
O16 - DPF: {05574F48-FEE1-4A0A-9013-B8A85C7C6CCE} - http://www.muiegaozsicur.com/ocx/can_ver20a.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137018220593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151203866890
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

And thanks so much for your detailed response.

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 01 May 2007 - 09:27 AM

Hello there, Twilight..



Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Jotti's malware scan (or VirusTotal.com scan)
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Now please go to http://virusscan.jotti.org/ and follow these steps to upload a file and scan it with Jotti's malware scan:
1. Click the Browse... button at the top of the page.
2. Navigate to this file if it is present: C:\WINDOWS\system32\lfhs76ghf.dll
3. Click Open.
4. Now click the Submit button (positioned next to the Browse... button) to upload the file.
5. Please be patient as the file will be scanned.
5. Once scanned, copy and paste the results in your next reply.

NOTE: In case Jotti is busy, try VirusTotal.com.

Step #2: Malware Submission
Please go to http://www.bleepingcomputer.com/submit-mal....php?channel=25 and follow these steps to submit malware to BleepingComputer.com for analysis:
1. In the Link to topic where this file was requested: field, please copy/paste the entire link to this topic.
2. Click the Browse… button.
3. Navigate to this file that I want you to submit (if it is present): C:\WINDOWS\system32\lfhs76ghf.dll
4. Click Open.
5. If you want to leave any comments, further information about the file, or contact information, you can fill in the desired information in the last field.
6. Click the Send File button to submit the requested file.

Step #3: VundoFix
You likely have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of Vundo if it is present.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button" - when VundoFix appears upon rebooting.

Step #4: uninstall list creation
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
When you press the Save button, Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.

Step #5: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.



So in your next reply, please post:
- the Jotti's malware scan results
- the contents of C:\vundofix.txt
- the uninstall list (uninstall_list.txt)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the logs.

Edited by htv8, 01 May 2007 - 09:31 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 May 2007 - 07:58 PM

Hi, here is the results of the Jotti scan.

Scanner results
Scan taken on 02 May 2007 00:50:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Agent.10000.38
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Downloader.Generic4.FWX
BitDefender
Found Trojan.Downloader.Small.ZBO
ClamAV
Found nothing
Dr.Web
Found Trojan.DownLoader.20662
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Small.ddx
Fortinet
Found PossibleThreat
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Small.ddx
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Clicker.ABB
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan.DownLoader.20662

#8 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 May 2007 - 08:20 PM

Hi again,
I ran VundoFix after I posted my first hijack log awhile back. So here's my log from back then:


Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mymbjvow.ini
C:\WINDOWS\system32\mymbjvow.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nebytwac.dll
C:\WINDOWS\system32\nebytwac.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\neqtpffs.dll
C:\WINDOWS\system32\neqtpffs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ngfhhhuw.dll
C:\WINDOWS\system32\ngfhhhuw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ochxbiii.dll
C:\WINDOWS\system32\ochxbiii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\omtvnjoi.dll
C:\WINDOWS\system32\omtvnjoi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pckxjosh.dll
C:\WINDOWS\system32\pckxjosh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pnxlrogl.dll
C:\WINDOWS\system32\pnxlrogl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptgxboyv.dll
C:\WINDOWS\system32\ptgxboyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pwykyhgs.dll
C:\WINDOWS\system32\pwykyhgs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pxmtsfjt.dll
C:\WINDOWS\system32\pxmtsfjt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qdcmufvf.dll
C:\WINDOWS\system32\qdcmufvf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qfjtlxoc.dll
C:\WINDOWS\system32\qfjtlxoc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpgktgih.dll
C:\WINDOWS\system32\qpgktgih.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rggdkmgx.dll
C:\WINDOWS\system32\rggdkmgx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrbhqqiy.dll
C:\WINDOWS\system32\rrbhqqiy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rwwxrhdv.dll
C:\WINDOWS\system32\rwwxrhdv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sftrdviw.dll
C:\WINDOWS\system32\sftrdviw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\slkqeage.dll
C:\WINDOWS\system32\slkqeage.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tbifoynp.dll
C:\WINDOWS\system32\tbifoynp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tukpdlcc.dll
C:\WINDOWS\system32\tukpdlcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvst.dll
C:\WINDOWS\system32\tuvuvst.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\uhlsnxid.dll
C:\WINDOWS\system32\uhlsnxid.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkngnhru.dll
C:\WINDOWS\system32\vkngnhru.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqthbyev.dll
C:\WINDOWS\system32\vqthbyev.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wovjbmym.dll
C:\WINDOWS\system32\wovjbmym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpsuapwh.dll
C:\WINDOWS\system32\wpsuapwh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxfgpwlg.dll
C:\WINDOWS\system32\wxfgpwlg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbbymhru.exe
C:\WINDOWS\system32\xbbymhru.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xcllbame.dll
C:\WINDOWS\system32\xcllbame.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xirnuubv.dll
C:\WINDOWS\system32\xirnuubv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xmgtliqw.dll
C:\WINDOWS\system32\xmgtliqw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yckwdsnj.dll
C:\WINDOWS\system32\yckwdsnj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yebktxta.dll
C:\WINDOWS\system32\yebktxta.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yeoghacs.dll
C:\WINDOWS\system32\yeoghacs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypqksfnr.dll
C:\WINDOWS\system32\ypqksfnr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxmkupfq.dll
C:\WINDOWS\system32\yxmkupfq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvuvst.dll
C:\WINDOWS\system32\tuvuvst.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:59:19 PM 4/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:36:22 PM 4/28/2007

Listing files found while scanning....


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:59:42 PM 5/1/2007

Listing files found while scanning....

No infected files were found.

I did another scan today though just in case.

#9 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 May 2007 - 08:23 PM

Hi,

Here is the uninstall list

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Reader Japanese Fonts
Adobe Shockwave Player
Adobe Stock Photos 1.0
Age of Empires III
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
ATITool Overclocking Utility
Audacity 1.2.6
avast! Antivirus
BitComet 0.75
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
COMODO Firewall Pro
CoreVorbis Audio Decoder (remove only)
DAO
Detto IntelliMover Demo
DivX
DivX Player
DivX Web Player
easy Internet sign-up
Google Desktop
Graphical Analysis
Hamachi 1.0.1.5
Hijackthis 1.99.1
HijackThis 1.99.1
hp center
hp deskjet 930c series (Remove only)
HP Digital Imaging Album Printing 1.0
HP Instant Support
HP Memories Disc
HP Photo and Imaging 1.1 - Photosmart Cameras
hp toolkit
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel® 82845G Graphics Driver Software
InterVideo WinDVD 4
iPod for Windows 2005-10-12
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 6
KBD
LEAD Vorbis Codec
LiveUpdate 3.1 (Symantec Corporation)
Logitech Desktop Messenger
Logitech QuickCam
Matroska Pack
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB927978)
MyDVD
Norton AntiVirus
NVIDIA Windows 2000/XP Display Drivers
ObjectDock
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RecordNow
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Task Manager 1.6f
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
ShowBiz
Simple Backup for My Pictures
Simple Installer - Multilanguage Version
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Ventrilo Client
VideoLAN VLC media player 0.8.4a
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Xfire (remove only)

#10 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 May 2007 - 08:26 PM

Hi,

Here is the new HijackThis scan.

Logfile of HijackThis v1.99.1
Scan saved at 8:21:23 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\fluffybunny.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: C:\WINDOWS\system32\lfhs76ghf.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\lfhs76ghf.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {00330010-0000-0000-0000-000020060010} - http://207.234.185.217/ABoxInst_int22.exe
O16 - DPF: {05574F48-FEE1-4A0A-9013-B8A85C7C6CCE} - http://www.muiegaozsicur.com/ocx/can_ver20a.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137018220593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151203866890
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

And thanks once again for all your help that you have given me.

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 02 May 2007 - 10:23 AM

Hello there again, Twilight..



Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


You most likely got infected through file sharing. I see BitComet 0.75 installed on your computer: a P2P/File Sharing (related) program. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection.
I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove BitComet 0.75.
If you do not want to uninstall the program, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #1: updating Java SE Runtime Environment (JRE)
Your Java is out of date. Older versions have vulnerabilities that malware can and are using to infect systems. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components:
1. Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and uninstall J2SE Runtime Environment 5.0 Update 6 if listed.
3. Once the old Java component is removed, reboot your computer.

Once rebooted, download and install the latest version of Java Runtime Environment (JRE) 6u1 by following these steps:
1. Go to http://java.sun.com/javase/downloads/index.jsp.
2. Scroll down to where it says "Java Runtime Environment (JRE) 6u1 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
3. Click the Download button to the right.
4. Review the License Agreement and then select the radio button labelled "Accept License Agreement".
The page will refresh.
5. Click on the link to download the Windows Offline Installation and save the file to your Desktop.
6. From your Desktop, double-click the jre-6u1-windows-i586-p.exe file to install the newest version.

Step #2: VundoFix
If not already downloaded, please download VundoFix.exe to your Desktop.
Download VundoFix.exe

Now please follow these steps:
1. Double-click VundoFix.exe to run VundoFix.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. If it says: "No infected files were found.", right-click inside the list box (white box) in the main VundoFix window.
5. Select the option labelled "Add more files?" from the menu that comes up. This will open a new VundoFix window.
6. In that window, copy the entire file path inside the CODE box below and paste it into the first (top) field:
C:\WINDOWS\system32\lfhs76ghf.dll
7. Click the Add File(s) button.
8. Click the Close Window button.
9. Click the Remove Vundo button.
10. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
11. When completed, it will prompt that it will shut down your computer. Click OK.
12. Turn your computer back on.
13. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button" - when VundoFix appears upon rebooting.

Step #3: HijackThis fix
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: C:\WINDOWS\system32\lfhs76ghf.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\lfhs76ghf.dll
O4 - Global Startup: VTAgentReboot.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {00330010-0000-0000-0000-000020060010} - http://207.234.185.217/ABoxInst_int22.exe
O16 - DPF: {05574F48-FEE1-4A0A-9013-B8A85C7C6CCE} - http://www.muiegaozsicur.com/ocx/can_ver20a.CAB
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll


Only if you uninstalled BitComet 0.75 as recommended, please put a checkmark by these entries as well if they are present:
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm


Close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Step #4: removal of certain files
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.


Using Windows Explorer (to get there, right-click your Start button and go to Explore), please delete these files (if present):
C:\WINDOWS\system32\lfhs76ghf.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe

Reboot your computer to boot back into normal mode.

Step #5: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.



So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the logs.

Edited by htv8, 02 May 2007 - 11:11 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 02 May 2007 - 10:07 PM

Hi,

Here is the log for the Vundoo Fix:


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:42:02 PM 4/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\acqhojxu.dll
C:\WINDOWS\system32\ahlcogjr.dll
C:\WINDOWS\system32\cgfqryhd.dll
C:\WINDOWS\system32\crqoooud.dll
C:\WINDOWS\system32\cvciwogd.dll
C:\WINDOWS\system32\dbkqnqfk.dll
C:\WINDOWS\system32\dnytkcfy.dll
C:\WINDOWS\system32\eynqfdlr.dll
C:\WINDOWS\system32\fgufuqau.dll
C:\WINDOWS\system32\gfjpbqwc.dll
C:\WINDOWS\system32\gglpiqga.dll
C:\WINDOWS\system32\gmtnwbnc.dll
C:\WINDOWS\system32\hgpyfcno.dll
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjxnrcnk.dll
C:\WINDOWS\system32\hnknqptc.dll
C:\WINDOWS\system32\hrroeorf.dll
C:\WINDOWS\system32\itogoilb.dll
C:\WINDOWS\system32\jdokwjeb.dll
C:\WINDOWS\system32\jolhedyr.dll
C:\WINDOWS\system32\joupbrad.dll
C:\WINDOWS\system32\jqudlmdw.dll
C:\WINDOWS\system32\jryjwbuj.dll
C:\WINDOWS\system32\klkpsdjj.dll
C:\WINDOWS\system32\kyfouqdp.dll
C:\WINDOWS\system32\kynicudu.dll
C:\WINDOWS\system32\lboahmxi.dll
C:\WINDOWS\system32\lokqlgwe.dll
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mymbjvow.ini
C:\WINDOWS\system32\nebytwac.dll
C:\WINDOWS\system32\neqtpffs.dll
C:\WINDOWS\system32\ngfhhhuw.dll
C:\WINDOWS\system32\ochxbiii.dll
C:\WINDOWS\system32\omtvnjoi.dll
C:\WINDOWS\system32\pckxjosh.dll
C:\WINDOWS\system32\pnxlrogl.dll
C:\WINDOWS\system32\ptgxboyv.dll
C:\WINDOWS\system32\pwykyhgs.dll
C:\WINDOWS\system32\pxmtsfjt.dll
C:\WINDOWS\system32\qdcmufvf.dll
C:\WINDOWS\system32\qfjtlxoc.dll
C:\WINDOWS\system32\qpgktgih.dll
C:\WINDOWS\system32\rggdkmgx.dll
C:\WINDOWS\system32\rrbhqqiy.dll
C:\WINDOWS\system32\rwwxrhdv.dll
C:\WINDOWS\system32\sftrdviw.dll
C:\WINDOWS\system32\slkqeage.dll
C:\WINDOWS\system32\tbifoynp.dll
C:\WINDOWS\system32\tukpdlcc.dll
C:\WINDOWS\system32\tuvuvst.dll
C:\WINDOWS\system32\uhlsnxid.dll
C:\WINDOWS\system32\vkngnhru.dll
C:\WINDOWS\system32\vqthbyev.dll
C:\WINDOWS\system32\wovjbmym.dll
C:\WINDOWS\system32\wpsuapwh.dll
C:\WINDOWS\system32\wxfgpwlg.dll
C:\WINDOWS\system32\xbbymhru.exe
C:\WINDOWS\system32\xcllbame.dll
C:\WINDOWS\system32\xirnuubv.dll
C:\WINDOWS\system32\xmgtliqw.dll
C:\WINDOWS\system32\yckwdsnj.dll
C:\WINDOWS\system32\yebktxta.dll
C:\WINDOWS\system32\yeoghacs.dll
C:\WINDOWS\system32\ypqksfnr.dll
C:\WINDOWS\system32\yxmkupfq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\acqhojxu.dll
C:\WINDOWS\system32\acqhojxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ahlcogjr.dll
C:\WINDOWS\system32\ahlcogjr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cgfqryhd.dll
C:\WINDOWS\system32\cgfqryhd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\crqoooud.dll
C:\WINDOWS\system32\crqoooud.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cvciwogd.dll
C:\WINDOWS\system32\cvciwogd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dbkqnqfk.dll
C:\WINDOWS\system32\dbkqnqfk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dnytkcfy.dll
C:\WINDOWS\system32\dnytkcfy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eynqfdlr.dll
C:\WINDOWS\system32\eynqfdlr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgufuqau.dll
C:\WINDOWS\system32\fgufuqau.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gfjpbqwc.dll
C:\WINDOWS\system32\gfjpbqwc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gglpiqga.dll
C:\WINDOWS\system32\gglpiqga.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gmtnwbnc.dll
C:\WINDOWS\system32\gmtnwbnc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgpyfcno.dll
C:\WINDOWS\system32\hgpyfcno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjxnrcnk.dll
C:\WINDOWS\system32\hjxnrcnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hnknqptc.dll
C:\WINDOWS\system32\hnknqptc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hrroeorf.dll
C:\WINDOWS\system32\hrroeorf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\itogoilb.dll
C:\WINDOWS\system32\itogoilb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jdokwjeb.dll
C:\WINDOWS\system32\jdokwjeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jolhedyr.dll
C:\WINDOWS\system32\jolhedyr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\joupbrad.dll
C:\WINDOWS\system32\joupbrad.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jryjwbuj.dll
C:\WINDOWS\system32\jryjwbuj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\klkpsdjj.dll
C:\WINDOWS\system32\klkpsdjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kyfouqdp.dll
C:\WINDOWS\system32\kyfouqdp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kynicudu.dll
C:\WINDOWS\system32\kynicudu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lboahmxi.dll
C:\WINDOWS\system32\lboahmxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lokqlgwe.dll
C:\WINDOWS\system32\lokqlgwe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mymbjvow.ini
C:\WINDOWS\system32\mymbjvow.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nebytwac.dll
C:\WINDOWS\system32\nebytwac.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\neqtpffs.dll
C:\WINDOWS\system32\neqtpffs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ngfhhhuw.dll
C:\WINDOWS\system32\ngfhhhuw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ochxbiii.dll
C:\WINDOWS\system32\ochxbiii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\omtvnjoi.dll
C:\WINDOWS\system32\omtvnjoi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pckxjosh.dll
C:\WINDOWS\system32\pckxjosh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pnxlrogl.dll
C:\WINDOWS\system32\pnxlrogl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptgxboyv.dll
C:\WINDOWS\system32\ptgxboyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pwykyhgs.dll
C:\WINDOWS\system32\pwykyhgs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pxmtsfjt.dll
C:\WINDOWS\system32\pxmtsfjt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qdcmufvf.dll
C:\WINDOWS\system32\qdcmufvf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qfjtlxoc.dll
C:\WINDOWS\system32\qfjtlxoc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpgktgih.dll
C:\WINDOWS\system32\qpgktgih.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rggdkmgx.dll
C:\WINDOWS\system32\rggdkmgx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrbhqqiy.dll
C:\WINDOWS\system32\rrbhqqiy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rwwxrhdv.dll
C:\WINDOWS\system32\rwwxrhdv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sftrdviw.dll
C:\WINDOWS\system32\sftrdviw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\slkqeage.dll
C:\WINDOWS\system32\slkqeage.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tbifoynp.dll
C:\WINDOWS\system32\tbifoynp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tukpdlcc.dll
C:\WINDOWS\system32\tukpdlcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvst.dll
C:\WINDOWS\system32\tuvuvst.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\uhlsnxid.dll
C:\WINDOWS\system32\uhlsnxid.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkngnhru.dll
C:\WINDOWS\system32\vkngnhru.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqthbyev.dll
C:\WINDOWS\system32\vqthbyev.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wovjbmym.dll
C:\WINDOWS\system32\wovjbmym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpsuapwh.dll
C:\WINDOWS\system32\wpsuapwh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxfgpwlg.dll
C:\WINDOWS\system32\wxfgpwlg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xbbymhru.exe
C:\WINDOWS\system32\xbbymhru.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xcllbame.dll
C:\WINDOWS\system32\xcllbame.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xirnuubv.dll
C:\WINDOWS\system32\xirnuubv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xmgtliqw.dll
C:\WINDOWS\system32\xmgtliqw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yckwdsnj.dll
C:\WINDOWS\system32\yckwdsnj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yebktxta.dll
C:\WINDOWS\system32\yebktxta.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yeoghacs.dll
C:\WINDOWS\system32\yeoghacs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypqksfnr.dll
C:\WINDOWS\system32\ypqksfnr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxmkupfq.dll
C:\WINDOWS\system32\yxmkupfq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvuvst.dll
C:\WINDOWS\system32\tuvuvst.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:59:19 PM 4/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:36:22 PM 4/28/2007

Listing files found while scanning....


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:59:42 PM 5/1/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.20

Checking Java version...

Scan started at 9:28:50 PM 5/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lfhs76ghf.dll
C:\WINDOWS\system32\lfhs76ghf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Scan started at 9:45:04 PM 5/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\lfhs76ghf.dll
C:\WINDOWS\system32\lfhs76ghf.dll Has been deleted!

Performing Repairs to the registry.
Done!

#13 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 02 May 2007 - 10:24 PM

Hi again,

For the HijackTHis fix. I was unable to find:
BHO: C:\WINDOWS\system32\lfhs76ghf.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\lfhs76ghf.dll

and

O15 - Trusted Zone: http://locator.cdn.imageservr.com

and I was unable to fix: O4 - Global Startup: VTAgentReboot.exe.

Is this a problem?

Thanks.

#14 Twilight.

Twilight.
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 02 May 2007 - 10:36 PM

Hi htv8, thanks for all the help.
Here is the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:31:36 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\fluffybunny.exe.exe

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137018220593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151203866890
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Once again. Thanks.

#15 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 03 May 2007 - 04:45 AM

[...]

and I was unable to fix: O4 - Global Startup: VTAgentReboot.exe.

Is this a problem?

Were you able to and did you delete the corresponding file? This file:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe



I see that you are running MSConfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if those items are malware, so I would like you to re-enable those startup entries by following these steps:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Click on Start > Run.
3. In the Run: field type msconfig and press the Enter key on your keyboard.
4. When the System Configuration Utility starts up, click on the Startup tab and make sure there are checkmarks in every entry.
5. Press OK until you are out of the program. If it asks to reboot, do NOT reboot.

Now please create a new Hijackthis log and post it as a reply.



Your first HijackThis log shows some entries that are not present in the logs you posted after the first one. Have you fixed things yourself?
(For example, this entry is not present in the logs you posted after the first log:
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\ie_updater.exe)

Edited by htv8, 03 May 2007 - 04:58 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users