Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan - Please Help!


  • This topic is locked This topic is locked
18 replies to this topic

#1 CJJ

CJJ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 26 April 2007 - 01:06 PM

Am new to bleeping computer. is nice to see that there are people like you out there!

I have been infected with a trojan clicker that avg keeps on detecting.

I have tried deleting it, rebooting my computer in safe mode, running hijackthis and avg again as well as trojanhunter but cannot get rid of it.

any help will be much appreciated! My hjt log file is below:


Logfile of HijackThis v1.99.1
Scan saved at 18:52:15, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\QuickTime\qttask.exe
E:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D88F5B-2672-4DD2-98C6-616BFF9F31AB}: NameServer = 212.139.132.52 212.139.132.53
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 27 April 2007 - 09:57 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\SYSTEM32\ehkaehk.dll
C:\WINDOWS\system32\Service.exe

Copy and paste the following text into Notepad:
sc stop "Service"
sc delete "Service"
Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Reboot into Normal Mode again.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 27 April 2007 - 05:55 PM

Hi Charles thanks for looking at this.

As soon as I fix checked the entries in hijack this, the same virus alert message was displayed again.

I then rebooted in safe mode but was unable to delete

C:\WINDOWS\SYSTEM32\ehkaehk.dll as an access denied message was displayed.

Am I doing something wrong?

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 28 April 2007 - 02:27 AM

No, it doesn't matter that you could not remove it, the VundoFix scanner should delete this file.
Please continue with the rest of the instructions, and include Vundofix.txt and a new HijackThis log in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 28 April 2007 - 01:56 PM

Here is the VundoFix.txt and hjt log:


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:38:10 28/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:43:28 28/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



Logfile of HijackThis v1.99.1
Scan saved at 19:49:21, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
E:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 28 April 2007 - 03:59 PM

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes (no arrows):

--> C:\WINDOWS\SYSTEM32\ehkaehk.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 28 April 2007 - 06:58 PM

After running the remove Vundo option a message was displayed saying that the particular file couldn't be deleted, even after rebooting as shown below:


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 00:21:36 29/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ehkaehk.dll
C:\WINDOWS\SYSTEM32\ehkaehk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ehkaehk.dll
C:\WINDOWS\SYSTEM32\ehkaehk.dll Could not be deleted.

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 00:33:46, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
E:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D88F5B-2672-4DD2-98C6-616BFF9F31AB}: NameServer = 212.139.132.52 212.139.132.53
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 29 April 2007 - 07:28 AM

Hello again.
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

c:\windows\system32\ehkaehk.dll

Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Post back a new HijackThis once done.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 29 April 2007 - 05:35 PM

Hi Charles,

I had a PendingFileRenameOperationsRegistry prompt, then rebooted and ran the following hijack this scan:


Logfile of HijackThis v1.99.1
Scan saved at 23:30:48, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
E:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {A7963CD1-E395-487E-9168-FA1DEA7AEE3D} - c:\windows\system32\ehkaehk.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D88F5B-2672-4DD2-98C6-616BFF9F31AB}: NameServer = 212.139.132.52 212.139.132.53
O20 - Winlogon Notify: huxckbja - C:\WINDOWS\SYSTEM32\ehkaehk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 30 April 2007 - 03:49 PM

Hello again,
Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Download Combofix to your Desktop. It is really important that combofix.exe is on your Desktop, not somewhere else!
Then go to Start | Run and copy and paste this command in the field:
"C:\Documents and Settings\Chris\Desktop\combofix.exe" /v ehkaehk
Hit enter. This should start combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 May 2007 - 02:23 AM

Hi here is the combofix.txt report and new hijack this log:

"Chris" - 07-05-01 8:13:35 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Chris\Desktop\"
Command switches used :: "/v ehkaehk"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


FINDSTR: Cannot open C:\WINDOWS\system32\ehkaehk.dll
C:\WINDOWS\system32\ehkaehk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\mdtktair.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\hprcxsng
-------\pxnrsyjq
-------\LEGACY_HPRCXSNG
-------\LEGACY_PXNRSYJQ


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-04-29 23:16 <DIR> d-------- C:\!KillBox
2007-04-28 19:38 <DIR> d-------- C:\VundoFix Backups
2007-04-26 18:17 <DIR> d-------- C:\WINDOWS\pss
2007-04-26 00:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-04-26 00:00 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\TrojanHunter
2007-04-25 20:35 77,312 --a------ C:\WINDOWS\ua2.dll
2007-04-25 20:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-04 16:08 100,864 --a------ C:\WINDOWS\system32\ugdhbjxe.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-24 23:56 -------- d-------- C:\Program Files\emule
2007-04-24 18:21 131584 --a------ C:\WINDOWS\system32\riuadjav.dll
2007-04-23 18:17 44032 --a------ C:\WINDOWS\system32\qkmdlthc.dll
2007-04-18 18:41 -------- d-------- C:\Program Files\xvid
2007-03-23 11:20 -------- d-------- C:\Program Files\dvdfab decrypter 3
2007-03-23 10:40 -------- d-------- C:\Program Files\divx
2007-03-18 18:05 -------- d-------- C:\Program Files\ipod
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-08 19:31 -------- d-------- C:\Program Files\quicktime
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-01 05:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-01 05:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-01 05:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"GuruClock"="C:\\Program Files\\ABIT\\ABIT uGuru\\GuruClock.exe"
"RetroExpress"="C:\\PROGRA~1\\Dantz\\RETROS~1\\RetroExpress.exe /h"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"E:\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"adiras"="adiras.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 08:16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 8:17:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-01 08:17



Logfile of HijackThis v1.99.1
Scan saved at 08:19:58, on 01/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\QuickTime\qttask.exe
E:\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D88F5B-2672-4DD2-98C6-616BFF9F31AB}: NameServer = 212.139.132.52 212.139.132.53
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - e:\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 May 2007 - 11:19 AM

Hello again, things are looking a little better but there are still some things that need dealing with.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please download ATF Cleaner to your Desktop.
Don't run it yet.

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\ugdhbjxe.dll
C:\WINDOWS\system32\riuadjav.dll
C:\WINDOWS\system32\qkmdlthc.dll

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please include the Panda log in your next post.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 06 May 2007 - 08:12 AM

Hi Charles,

Sorry for not replying sooner I have been on holiday.

I followed your instructions which included deleting the file

C:\WINDOWS\system32\riuadjav.dll

but unfortunately could not run the panda activescan as I use firefox instead of internet explorer.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 06 May 2007 - 08:37 AM

I hope you had a nice holiday :thumbsup:
Can you just use Internet Explorer to run that scan please?

Edited by rookie147, 06 May 2007 - 08:43 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 CJJ

CJJ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 07 May 2007 - 12:57 PM

Here is the PANDA active scan report:


Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\comb5egf.default\cookies.txt[.bs.serving-sys.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Chris\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Gretel\Application Data\Mozilla\Firefox\Profiles\vywzycj9.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047072.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047073.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047074.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047075.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047077.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047078.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047080.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047081.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047082.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047084.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00047085.MOZ[.atwola.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\NPROTECT\00052835.TXT
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\NPROTECT\00052837.TXT
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053328.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053333.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053355.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053859.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053862.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053866.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053873.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053879.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053883.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053886.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053888.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053892.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053896.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053902.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053911.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053914.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053920.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053925.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053929.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053933.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053937.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053941.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053943.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053948.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053952.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00053959.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00054205.MOZ[.atwola.com/]
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00054211.MOZ[.atwola.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users