Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With A Trojan!


  • This topic is locked This topic is locked
7 replies to this topic

#1 shizzledizzle

shizzledizzle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 June 2007 - 11:37 AM

hi all

I dont know what to do about this one it just keeps popping upp all the time and i cant get rid of it.

i have outpost firewall running and avira antivir personaledition classic running. i have also installed pc tools spyware doctor and done a scan. but the problem wont go away. i am a rookie when it comes to this and would really apreciate some help. this i the logfile i got:

Logfile of HijackThis v1.99.1
Scan saved at 17:19:39, on 2007-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\AntiVir PersonalEdition Classic\sched.exe
C:\Program\AntiVir PersonalEdition Classic\avguard.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
C:\Program\ATI Technologies\ATI.ACE\CLI.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Spyware Doctor\svcntaux.exe
C:\Program\Spyware Doctor\swdsvc.exe
C:\Program\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\Program\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Beno\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O2 - BHO: (no name) - {40D0E82D-B1C0-4E63-8DD2-E4A42963DBBB} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {B2030C9A-DE59-457D-A042-D827AD69C8F3} - C:\WINDOWS\system32\efccawu.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rfsrgtxn.dll",realset
O4 - HKLM\..\Run: [SDTray] C:\Program\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141686721000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: efccawu - C:\WINDOWS\SYSTEM32\efccawu.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program\Sunbelt Software\Personal Firewall\kpf4ss.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2007 - 02:05 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum shizzledizzle :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Right click on a blank area of your desktop and select 'New',then select 'Folder'.
Right click over that new folder and select 'Rename',rename it to HJT
Now move Hijackthis into the HJT folder and run it from there please.

**************************

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**************************

Download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 shizzledizzle

shizzledizzle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 June 2007 - 04:46 PM

THX VERY MUCH FOR YOUR TIME AND HELP !!!!

Logfile of HijackThis v1.99.1
Scan saved at 23:40:16, on 2007-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program\AntiVir PersonalEdition Classic\sched.exe
C:\Program\AntiVir PersonalEdition Classic\avguard.exe
C:\Program\Agnitum\OUTPOS~1\outpost.exe
C:\Program\Spyware Doctor\svcntaux.exe
C:\Program\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Beno\Skrivbord\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O2 - BHO: (no name) - {6FF28594-EE2F-4FC1-AD6D-AEC1C8874FF7} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SDTray] C:\Program\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141686721000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\Program\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe



VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 23:15:30 2007-06-03

Listing files found while scanning....

C:\WINDOWS\system32\efccawu.dll
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\ghhkj.tmp
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\nxtgrsfr.ini
C:\WINDOWS\system32\rfsrgtxn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efccawu.dll
C:\WINDOWS\system32\efccawu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\ghhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.tmp
C:\WINDOWS\system32\ghhkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nxtgrsfr.ini
C:\WINDOWS\system32\nxtgrsfr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rfsrgtxn.dll
C:\WINDOWS\system32\rfsrgtxn.dll Has been deleted!

Performing Repairs to the registry.
Done!


"Beno" - 2007-06-03 23:29:45 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Beno\Skrivbord\"


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))


2007-06-03 23:15 <KAT> d-------- C:\VundoFix Backups
2007-06-03 18:18 <KAT> d-------- C:\Program\Delade filer\Agnitum Shared
2007-06-03 18:18 <KAT> d-------- C:\Program\Agnitum
2007-06-03 15:30 <KAT> dr------- C:\DOCUME~1\NETWOR~1\Favoriter
2007-06-03 15:30 <KAT> d-------- C:\DOCUME~1\NETWOR~1\Skrivbord
2007-06-03 12:35 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-03 12:35 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-03 12:35 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-03 12:35 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-03 12:35 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-03 12:35 <KAT> d-------- C:\Program\Spyware Doctor
2007-06-03 12:35 <KAT> d-------- C:\DOCUME~1\Beno\APPLIC~1\PC Tools
2007-06-03 12:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-02 23:44 2,580 --a------ C:\WINDOWS\system32\ytgheelj.exe
2007-06-02 23:43 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-02 23:43 <KAT> d-------- C:\Program\WinAntiVirus Pro 2006
2007-05-31 13:26 <KAT> d-------- C:\DOCUME~1\Beno\APPLIC~1\Ahead
2007-05-31 13:24 <KAT> d-------- C:\Program\Nero
2007-05-31 13:24 <KAT> d-------- C:\Program\Delade filer\Ahead
2007-05-31 13:24 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-05-17 16:34 <KAT> d-------- C:\Program\Bestpoker
2007-05-11 21:59 <KAT> d-------- C:\DOCUME~1\Beno\APPLIC~1\Google
2007-05-10 01:43 <KAT> d-------- C:\Program\Microsoft CAPICOM 2.1.0.2
2007-05-09 17:34 2,452 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-06 22:51 <KAT> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 21:11:24 200 ----a-w C:\WINDOWS\AUDC70UI.dat
2007-06-03 12:47:59 -------- d--h--w C:\Program\InstallShield Installation Information
2007-06-03 11:19:52 -------- d-----w C:\Program\Pinnacle
2007-06-02 21:37:13 -------- d-----w C:\Program\Sunbelt Software
2007-05-28 18:46:54 -------- d-----w C:\Program\DC++
2007-05-11 19:59:01 -------- d-----w C:\Program\Google
2007-04-22 12:55:07 -------- d-----w C:\DOCUME~1\Beno\APPLIC~1\Microgaming
2007-04-22 10:15:02 -------- d-----w C:\Program\Microgaming
2007-04-19 13:30:06 -------- d-----w C:\Program\VstPlugins
2007-04-19 13:30:05 -------- d-----w C:\Program\Image-Line
2007-04-19 13:13:29 -------- d-----w C:\Program\ASIO4ALL v2
2007-04-18 16:14:40 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 11:40:32 -------- d-----w C:\Program\TPTEST5
2007-04-07 11:22:03 -------- d-----w C:\Program\Audio Converter
2007-03-25 09:17:44 69,816 ----a-w C:\WINDOWS\system32\perfc01D.dat
2007-03-25 09:17:44 402,736 ----a-w C:\WINDOWS\system32\perfh01D.dat
2007-03-17 18:42:15 4,703 ----a-w C:\WINDOWS\mozver.dat
2007-03-17 13:45:59 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:39:13 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:13 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:13 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:38:05 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{6FF28594-EE2F-4FC1-AD6D-AEC1C8874FF7}=C:\WINDOWS\system32\jkhhg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"@"="" []
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 14:25]
"NVMixerTray"="C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"avgnt"="C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-20 14:03]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2006-04-25 10:21]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-02-16 11:54]
"NeroFilterCheck"="C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SDTray"="C:\Program\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
"Outpost Firewall"="C:\Program\Agnitum\Outpost Firewall\outpost.exe" [2003-07-16 17:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2006-01-24 21:32]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1486d5dd-c300-11d9-b86b-806d6172696f}]
AutoRun\command- D:\SETUP.EXE /UPDATE


Contents of the 'Scheduled Tasks' folder
2007-03-21 16:25:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 23:34:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-03 23:36:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-03 23:35

--- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2007 - 05:03 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\ytgheelj.exe

Folders to delete:
C:\Program\WinAntiVirus Pro 2006

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

***************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {6FF28594-EE2F-4FC1-AD6D-AEC1C8874FF7} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

Exit Hijackthis.

***************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

***************************

Restart your pc.
Post Avenger output.txt,and a new Hijackthis log into your next reply.
Let me know how your pc is running now.

Posted Image
Posted Image

#5 shizzledizzle

shizzledizzle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 June 2007 - 05:37 PM

The popup about the trojan has stopped so i guess that problem is gone, the computer is running just fine exept when i start it up a autorun comes on about a windows installer PhotoGallery ?!?!? .. have no idea what this is but it also started today .. it goes until it says that i must insert a cd for the install to continue then i just hit cancel till it stop and goes away .. otherwise everything seems to work great !!!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jvicexof

*******************

Script file located at: \??\C:\Documents and Settings\bgjntfvl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ytgheelj.exe deleted successfully.
Folder C:\Program\WinAntiVirus Pro 2006 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 00:31:50, on 2007-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\AntiVir PersonalEdition Classic\sched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\SDTrayApp.exe
C:\Program\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Agnitum\OUTPOS~1\outpost.exe
C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
C:\Program\Spyware Doctor\svcntaux.exe
C:\Program\ATI Technologies\ATI.ACE\CLI.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Beno\Skrivbord\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SDTray] C:\Program\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141686721000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\Program\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2007 - 05:55 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix
Avenger

C:\VundoFix Backups
C:\Avenger
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

the computer is running just fine exept when i start it up a autorun comes on about a windows installer PhotoGallery ?!?!? .. have no idea what this is but it also started today .. it goes until it says that i must insert a cd for the install to continue then i just hit cancel till it stop and goes away

If you have an HP printer or any HP digital imaging software on your pc,try uninstalling/reinstalling it.
Posted Image
Posted Image

#7 shizzledizzle

shizzledizzle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 06 June 2007 - 01:13 PM

Everything works great today ... thx so much for your help ... keep ut the great work. .. thx once again //Shizzle

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 06 June 2007 - 01:23 PM

You're most welcome :thumbsup:

Since your problem appears to be resolved,this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users