Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help to know if I have a possible key log/bad viruses!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help to know if I have a possible key log/bad viruses!

Unread postby Ozzmark » September 16th, 2006, 4:22 pm

Here is my Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 4:19:02 PM, on 16/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\WINDOWS\system32\RunDLL32.exe
G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Xfire\Xfire.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickFinder Scheduler] "G:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "G:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Steam] "g:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [4ddd44b5.exe] G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe
O8 - Extra context menu item: Open with WordPerfect - G:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/insta ... rstart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0320453281
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe



(Would really help if someone could point out malicous programs and help me please :cry: )
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm
Advertisement
Register to Remove

Unread postby waterfalls » September 16th, 2006, 10:00 pm

Hi,

Welcome to MalwareRemoval! Please do the following.

I see that Windows is located on your G:\ drive, but you have HijackThis on your C:\ drive. So, I want you to do the following.

• Make a new folder on your G:\ drive called HJT or HijackThis (it does not matter which name you choose). Then move HijackThis.exe to the new folder. This is because it is preferable that the HijackThis program run from the drive where Windows is located.

• Now, navigate to the newly-created folder and re-name HijackThis.exe to kitty.exe

• Finally, double-click onto kitty.exe (which is still Hijackthis) and post back with the new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 2:26 am

Logfile of HijackThis v1.99.1
Scan saved at 2:26:07 AM, on 17/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\WINDOWS\system32\RunDLL32.exe
G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\System32\svchost.exe
g:\program files\common files\installshield\updateservice\isuspm.exe
G:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
G:\WINDOWS\explorer.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\HijackThis\kitty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {04B546AE-6CC7-4015-A725-5ED31023C83C} - G:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - G:\WINDOWS\g25690546.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickFinder Scheduler] "G:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "g:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Steam] "g:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [4ddd44b5.exe] G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe
O8 - Extra context menu item: Open with WordPerfect - G:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/insta ... rstart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0320453281
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mljgf - G:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: NavLogon - G:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby waterfalls » September 17th, 2006, 11:28 am

Please do the following exactly as stated and in the order given. Make sure that you run both of the following tools from your G:\ drive.

• Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Download windelfkil.exe.
- Save it to your desktop.
- Close ALL windows.
- Double-click onto windelfkil.exe to start the removal tool.
- The computer will reboot automatically.
- After reboot, a logfile will open: G:\windelf.txt

• Post back with the contents of G:\vundofix.txt, G:\windelf.txt and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 12:09 pm

The last link you provided is a 404 not found.But I have the vundo log.
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby Ozzmark » September 17th, 2006, 12:13 pm

Vundo log

VundoFix V6.1.5

Checking Java version...

Java version is 1.5.0.6

Scan started at 11:50:13 AM 17/09/2006

Listing files found while scanning....

G:\WINDOWS\system32\mljgf.dll
G:\WINDOWS\system32\fgjlm.ini
G:\WINDOWS\system32\fgjlm.bak1
G:\WINDOWS\system32\fgjlm.bak2
G:\WINDOWS\system32\fgjlm.ini2
G:\WINDOWS\system32\fgjlm.tmp
G:\WINDOWS\system32\bugqunxb.exe
G:\WINDOWS\system32\iihfcvwg.exe
G:\WINDOWS\system32\uqtiabxh.exe
G:\WINDOWS\system32\wqmpqjhh.exe

Beginning removal...

Attempting to delete G:\WINDOWS\system32\mljgf.dll
G:\WINDOWS\system32\mljgf.dll Could not be deleted.

Attempting to delete G:\WINDOWS\system32\fgjlm.ini
G:\WINDOWS\system32\fgjlm.ini Has been deleted!

Attempting to delete G:\WINDOWS\system32\fgjlm.bak1
G:\WINDOWS\system32\fgjlm.bak1 Has been deleted!

Attempting to delete G:\WINDOWS\system32\fgjlm.bak2
G:\WINDOWS\system32\fgjlm.bak2 Has been deleted!

Attempting to delete G:\WINDOWS\system32\fgjlm.ini2
G:\WINDOWS\system32\fgjlm.ini2 Has been deleted!

Attempting to delete G:\WINDOWS\system32\fgjlm.tmp
G:\WINDOWS\system32\fgjlm.tmp Has been deleted!

Attempting to delete G:\WINDOWS\system32\bugqunxb.exe
G:\WINDOWS\system32\bugqunxb.exe Has been deleted!

Attempting to delete G:\WINDOWS\system32\iihfcvwg.exe
G:\WINDOWS\system32\iihfcvwg.exe Has been deleted!

Attempting to delete G:\WINDOWS\system32\uqtiabxh.exe
G:\WINDOWS\system32\uqtiabxh.exe Has been deleted!

Attempting to delete G:\WINDOWS\system32\wqmpqjhh.exe
G:\WINDOWS\system32\wqmpqjhh.exe Has been deleted!

Performing Repairs to the registry.
Done!
(Next is during reboot)
VundoFix V6.1.5

Checking Java version...

Java version is 1.5.0.6

Scan started at 12:00:32 PM 17/09/2006

Listing files found while scanning....

G:\WINDOWS\system32\mljgf.dll

Beginning removal...

Attempting to delete G:\WINDOWS\system32\mljgf.dll
G:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 12:12:44 PM, on 17/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\WINDOWS\system32\RunDLL32.exe
G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\system32\wuauclt.exe
g:\program files\common files\installshield\updateservice\isuspm.exe
G:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
G:\HijackThis\kitty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - G:\WINDOWS\g25690546.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickFinder Scheduler] "G:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "g:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Steam] "g:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [4ddd44b5.exe] G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe
O8 - Extra context menu item: Open with WordPerfect - G:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/insta ... rstart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0320453281
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - G:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby waterfalls » September 17th, 2006, 12:25 pm

http://users.telenet.be/marcvn/tools/win32delfkil.exe

- Save it to your desktop.
- Close ALL windows.
- Double-click onto windelfkil.exe to start the removal tool.
- The computer will reboot automatically.
- After reboot, a logfile will open: G:\windelf.txt

• Post back with the contents of G:\windelf.txt and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 12:34 pm

WIN32DELFKIL LOGFILE - by Marckie


version 3.03
17/09/2006 12:31:09.25
running from: "G:\Documents and Settings\Mark\Desktop"


--- File(s) found in Windows directory ---
g10598781.dll
g11912796.dll
g11918390.dll
g13239578.dll
g1472843.dll
g156843.dll
g16961312.dll
g18283156.dll
g19604031.dll
g20721703.dll
g23445812.dll
g24765265.dll
g25690546.dll
g26086203.dll
g2791656.dll
g29927375.dll
g31247187.dll
g32567062.dll
g36408218.dll
g37612343.dll
g38932375.dll
g42891609.dll
g44114437.dll
g45310000.dll
g5435546.dll
g6756140.dll

--- File(s) found in system32 folder ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---
g10598781.dll
g11912796.dll
g11918390.dll
g13239578.dll
g1472843.dll
g156843.dll
g16961312.dll
g18283156.dll
g19604031.dll
g20721703.dll
g23445812.dll
g24765265.dll
g25690546.dll
g26086203.dll
g2791656.dll
g29927375.dll
g31247187.dll
g32567062.dll
g36408218.dll
g37612343.dll
g38932375.dll
g42891609.dll
g44114437.dll
g45310000.dll
g5435546.dll
g6756140.dll

--- File(s) found in system32 folder ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby waterfalls » September 17th, 2006, 12:41 pm

Hi,

Well, things are looking much better. We got rid of a LOT of malware.

Please post a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 12:44 pm

That's good news :D Thanks for all the help by the way!


Logfile of HijackThis v1.99.1
Scan saved at 12:43:30 PM, on 17/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\WINDOWS\system32\RunDLL32.exe
G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\HijackThis\kitty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1153179304\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickFinder Scheduler] "G:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "G:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "G:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Steam] "g:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [4ddd44b5.exe] G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe
O8 - Extra context menu item: Open with WordPerfect - G:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/insta ... rstart.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0320453281
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - G:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby waterfalls » September 17th, 2006, 1:05 pm

Hi,

Yes, your system was badly infected, and we still have some more work to do.

• Please set your system to show all files.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab. Under the Hidden files and folders heading, select Show hidden files
and folders.
- Uncheck: Hide file extensions for known file types
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O4 - HKCU\..\Run: [4ddd44b5.exe] G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2404.exe


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'. Exit the program.

• Navigate to and delete the following program if present:
G:\Documents and Settings\Mark\Local Settings\Application Data\4ddd44b5.exe

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


• Reboot into Normal Mode.

• Perform an onlinescan with Panda Online. Please use this scanner instead of any other scanner! You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component, allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

• Post back with the results of the Panda scan and a new HijackThis log
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 1:26 pm

I see the prompt for safe mode,but I tap F8,I smash F8 and it doesn't respond.....My keyboard is non responsive when my computer is rebooting...It is a logitech usb keyboard and it does not let me use it during the boot process...Do I have to find a different key board?
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby waterfalls » September 17th, 2006, 1:49 pm

Hi,

When you reboot, start tapping F8 - don't smash it. :)

When the prompt or screen showing Safe Mode as an option appears, use your arrow key to navigate to Safe Mode so that it is highlighted - then press Enter. There's another screen that will ask if you want to load into Safe Mode - just press Enter.

You should now be able to get into Safe Mode. If you can't, then follow the instructions in Normal Mode. Do try, however, to boot into Safe Mode. I'm not sure if that file will be able to be deleted in Normal Mode.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Ozzmark » September 17th, 2006, 2:06 pm

Well I got into safe mode,But the arrow keys don't work...I try *lightly* tapping them...I'll attempt normal mode.Or would it best to wait a few hours and use a different key board?Because I can obtain one later.
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm

Unread postby Ozzmark » September 17th, 2006, 2:07 pm

I mean I got to the prompt for safe mode...Sorry for these posts that are pretty useless.
Ozzmark
Regular Member
 
Posts: 56
Joined: September 16th, 2006, 4:14 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware