Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I Don't know what i have. please help! (log included)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I Don't know what i have. please help! (log included)

Unread postby kelsier » May 25th, 2007, 9:29 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:25:39 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\appo3oi\My Documents\Unzipped\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {eaa8a281-b625-473b-9720-20c89dcf0ae0} - C:\WINDOWS\system32\d3dvid.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\pmkkij.dll",realset
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4754700640
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\jkklkhf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: d3dvid - C:\WINDOWS\SYSTEM32\d3dvid.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
kelsier
Active Member
 
Posts: 14
Joined: May 25th, 2007, 11:12 am
Advertisement
Register to Remove

Unread postby John B. » May 26th, 2007, 6:06 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby John B. » May 26th, 2007, 12:22 pm

Hi,

You've got one infection which can be easy to remove or stubborn. After running todays fix you may still get pop-ups and will see no result but please be patient as we may have to run the tool multiple times to succesfully remove the infection.

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound/outbound not sure). Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Computer Safety On line - Software Firewalls
I use ZoneAlarm Free Edition (which is free for personal use) but you might just prefer something different!

As you did this, we can begin with the fix.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby kelsier » May 26th, 2007, 3:37 pm

Hi John,
First off i want to say THANK YOU VERY MUCH! for looking into this issue, and here are the logs. I have done everything you told me to and i also installed the free version of zonealarm.


VundoFix V6.4.1

Checking Java version...

Scan started at 2:51:02 PM 5/26/2007

Listing files found while scanning....

C:\WINDOWS\jmnmoq.ini
C:\WINDOWS\qomnmj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\jmnmoq.ini
C:\WINDOWS\jmnmoq.ini Has been deleted!

Attempting to delete C:\WINDOWS\qomnmj.dll
C:\WINDOWS\qomnmj.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 3:35:36 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\appo3oi\My Documents\Unzipped\hijackthis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpABB.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {eaa8a281-b625-473b-9720-20c89dcf0ae0} - C:\WINDOWS\system32\d3dvid.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4754700640
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\jkklkhf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: d3dvid - C:\WINDOWS\SYSTEM32\d3dvid.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks agian! :D
kelsier
Active Member
 
Posts: 14
Joined: May 25th, 2007, 11:12 am

Unread postby John B. » May 27th, 2007, 6:20 pm

Hi,

I see some files removed but a lot are still present. Lets use another tool.

Step 1: Disable TrojanHunter
It is a good program but it can interfer with our fixes, so please disable it and when you're all clean you can re-enable it!
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue magnifying glass icon with a red handle.
  • Right click it and select Settings.
  • Uncheck Load at startup and Enabled.
Step 2: Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby kelsier » May 27th, 2007, 6:36 pm

hi
here are the logs you requested.

"appo3oi" - 2007-05-27 18:28:32 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\appo3oi\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp12DF.tmp.dll"
"C:\WINDOWS\system32\tmp12E0.tmp.dll"
"C:\WINDOWS\system32\tmp164.tmp.dll"
"C:\WINDOWS\system32\tmp30.tmp.dll"
"C:\WINDOWS\system32\tmp36C.tmp.dll"
"C:\WINDOWS\system32\tmp533.tmp.dll"
"C:\WINDOWS\system32\tmp638.tmp.dll"
"C:\WINDOWS\system32\tmpABB.tmp.dll"
"C:\WINDOWS\system32\tmpB8.tmp.dll"
"C:\WINDOWS\system32\tmpC7.tmp.dll"
"C:\WINDOWS\system32\perfc000.dat"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-26 18:34 233,481 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp135B.tmp.exe
2007-05-26 18:34 106,326 --a------ C:\WINDOWS\hgdecb.dll
2007-05-26 18:30 50,617 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp12E0.tmp.exe
2007-05-26 18:30 50,617 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp12DF.tmp.exe
2007-05-26 15:59 233,436 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp2C8.tmp.exe
2007-05-26 15:59 106,378 --a------ C:\WINDOWS\vtuspo.dll
2007-05-26 14:51 <DIR> d-------- C:\VundoFix Backups
2007-05-26 14:49 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-26 14:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-26 14:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-26 14:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-26 14:48 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-26 14:15 <DIR> d-------- C:\Program Files\Granado Espada
2007-05-26 13:54 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpAD5.tmp.exe
2007-05-26 13:52 50,337 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpABB.tmp.exe
2007-05-26 01:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TrojanHunter
2007-05-26 00:53 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\TrojanHunter
2007-05-25 21:45 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-05-25 21:40 233,707 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp39B.tmp.exe
2007-05-25 21:37 50,366 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp36C.tmp.exe
2007-05-25 21:37 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp372.tmp.exe
2007-05-25 19:44 233,402 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp16C.tmp.exe
2007-05-25 19:44 106,382 --a------ C:\WINDOWS\pmkkij.dll
2007-05-25 19:43 50,654 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpB8.tmp.exe
2007-05-25 19:43 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpE7.tmp.exe
2007-05-25 19:16 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp39A.tmp.exe
2007-05-25 15:21 50,422 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp986.tmp.exe
2007-05-25 15:15 233,797 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp6C3.tmp.exe
2007-05-25 15:13 50,422 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp533.tmp.exe
2007-05-25 14:58 233,797 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp32.tmp.exe
2007-05-24 23:09 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp6C8.tmp.exe
2007-05-24 23:04 50,487 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp638.tmp.exe
2007-05-24 20:44 50,367 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp164.tmp.exe
2007-05-24 20:44 232,952 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp16D.tmp.exe
2007-05-24 20:44 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp16B.tmp.exe
2007-05-24 20:37 <DIR> d-------- C:\Program Files\a-squared Free
2007-05-24 19:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-24 19:54 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-24 19:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-24 19:30 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\SUPERAntiSpyware.com
2007-05-24 19:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-24 19:25 233,425 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp10A.tmp.exe
2007-05-24 19:25 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpFF.tmp.exe
2007-05-24 19:25 106,483 --a------ C:\WINDOWS\pmligf.dll
2007-05-24 19:24 50,278 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpFC.tmp.exe
2007-05-24 19:13 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\Lavasoft
2007-05-24 19:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-24 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-24 18:51 233,359 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp56.tmp.exe
2007-05-24 18:50 50,307 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp30.tmp.exe
2007-05-24 18:50 16,384 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp4D.tmp.exe
2007-05-24 16:36 233,105 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmp180.tmp.exe
2007-05-24 16:34 50,520 --a------ C:\DOCUME~1\appo3oi\APPLIC~1\tmpC7.tmp.exe
2007-05-24 16:32 58,796 --a------ C:\WINDOWS\48x.exe
2007-05-24 16:32 37,535 --a------ C:\WINDOWS\system32\d3dvid.dll
2007-05-24 16:32 12,010 --a------ C:\WINDOWS\system32\jkklkhf.dll
2007-05-24 14:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-05-24 00:09 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-05-24 00:00 12 --a------ C:\WINDOWS\system32\sl.bin
2007-05-24 00:00 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-05-22 23:06 <DIR> d-------- C:\Program Files\Veoh Networks
2007-05-05 20:11 3,082 --a------ C:\WINDOWS\system32\affv208325p1now.sys
2007-05-05 20:11 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-05-05 17:33 3,450 --a------ C:\WINDOWS\mozver.dat
2007-05-05 17:33 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\Talkback
2007-04-30 00:54 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\NeroDCTemplates
2007-04-28 23:05 <DIR> d-------- C:\Program Files\uTorrent
2007-04-28 23:05 <DIR> d-------- C:\DOCUME~1\appo3oi\APPLIC~1\uTorrent
2007-04-28 23:02 52,736 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2007-04-28 23:02 446,464 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2007-04-28 23:02 35,840 -ra------ C:\WINDOWS\system32\nvconrm.dll
2007-04-28 23:02 261,120 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2007-04-28 23:02 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2007-04-28 23:02 202,240 --a------ C:\WINDOWS\system32\fdco1.dll
2007-04-28 23:02 18,944 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2007-04-28 23:02 110,080 -ra------ C:\WINDOWS\system32\drivers\nvtcp.sys
2007-04-28 23:02 10,240 -ra------ C:\WINDOWS\system32\bdco1.dll
2007-04-28 23:02 1,104,896 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2007-04-28 23:02 <DIR> d-------- C:\WINDOWS\NV18521392.TMP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 16:54:22 -------- d-----w C:\Program Files\Warcraft III
2007-05-24 23:45:31 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-24 23:29:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-23 19:17:14 -------- d-----w C:\Program Files\Steam
2007-05-23 12:59:42 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\Ahead
2007-05-23 03:07:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-22 18:29:43 -------- d-----w C:\Program Files\World of Warcraft
2007-05-05 21:33:11 -------- d-----w C:\Program Files\Google
2007-05-05 21:32:35 -------- d-----w C:\Program Files\DivX
2007-05-02 00:55:12 -------- d-----w C:\Program Files\Winamp
2007-04-29 02:56:27 -------- d-----w C:\Program Files\NVIDIA Corporation
2007-04-20 10:05:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-20 10:05:00 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-20 10:05:00 8,429,568 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-20 10:05:00 745,472 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-20 10:05:00 6,739,168 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-20 10:05:00 6,668,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-20 10:05:00 6,217,728 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-20 10:05:00 5,434,880 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-20 10:05:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-20 10:05:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-20 10:05:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-20 10:05:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-20 10:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-20 10:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-20 10:05:00 344,064 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-20 10:05:00 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-20 10:05:00 3,538,944 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-20 10:05:00 3,289,088 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-20 10:05:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-20 10:05:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-20 10:05:00 2,273,280 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-20 10:05:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-20 10:05:00 163,908 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-20 10:05:00 143,360 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-20 10:05:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 10:05:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-20 10:05:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-20 10:05:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-20 10:05:00 1,101,824 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-20 10:05:00 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-20 10:05:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-20 10:05:00 1,018,748 ----a-w C:\WINDOWS\system32\nvucode.bin
2007-04-19 03:33:47 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\BitTorrent
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:04:14 -------- d-----w C:\Program Files\Reference Assemblies
2007-04-14 22:44:47 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\acccore
2007-04-14 22:44:35 -------- d-----w C:\Program Files\AIM6
2007-04-14 22:44:14 -------- d-----w C:\Program Files\Viewpoint
2007-04-14 22:44:00 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-14 22:36:15 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-14 22:32:18 -------- d-----w C:\Program Files\AIM
2007-04-14 22:32:15 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\Aim
2007-04-13 12:40:12 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-04-13 04:02:20 -------- d-----w C:\Program Files\BitComet
2007-04-13 02:25:00 -------- d-----w C:\Program Files\Microsoft Works
2007-04-13 02:24:51 -------- d-----w C:\Program Files\MSBuild
2007-04-09 18:35:09 -------- d-----w C:\Program Files\QuickTime
2007-04-08 21:43:23 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\Apple Computer
2007-04-08 21:43:20 -------- d-----w C:\Program Files\iTunes
2007-04-08 21:43:16 -------- d-----w C:\Program Files\iPod
2007-04-08 21:42:33 -------- d-----w C:\Program Files\Apple Software Update
2007-04-08 20:23:16 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-04-07 10:07:32 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-07 10:02:56 -------- d--h--r C:\DOCUME~1\appo3oi\APPLIC~1\SecuROM
2007-04-07 09:57:16 -------- d-----w C:\Program Files\Ubisoft
2007-04-06 03:17:22 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\AdobeUM
2007-04-05 04:57:04 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2007-04-05 02:51:17 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-04-05 02:51:16 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-04-05 02:51:16 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-05 02:12:08 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-03-29 01:40:29 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-29 01:36:35 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-29 01:25:43 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\Help
2007-03-28 19:36:50 13,864 ----a-w C:\WINDOWS\nvflash.sys
2007-03-28 02:47:04 -------- d-----w C:\DOCUME~1\appo3oi\APPLIC~1\Media Player Classic
2007-03-24 18:44:00 76,167 ----a-w C:\WINDOWS\War3Unin.dat
2007-03-24 18:29:05 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2007-03-24 18:29:05 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-03-24 14:08:04 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-03-24 13:41:19 0 --sha-r C:\MSDOS.SYS
2007-03-24 13:41:19 0 --sha-r C:\IO.SYS
2007-03-24 13:41:19 0 ----a-w C:\CONFIG.SYS
2007-03-24 13:41:19 0 ----a-w C:\AUTOEXEC.BAT
2007-03-24 13:39:37 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 03:55]
{eaa8a281-b625-473b-9720-20c89dcf0ae0}=C:\WINDOWS\system32\d3dvid.dll [2007-05-24 16:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" []
"Alcmtr"="ALCMTR.EXE" []
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14]
"SkyTel"="SkyTel.EXE" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-04 22:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 14:29]
"nwiz"="nwiz.exe" [2007-04-20 06:05 C:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 20:30]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 17:32]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 17:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\d3dvid]
d3dvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\jkklkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^appo3oi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\appo3oi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^appo3oi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\appo3oi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\pmligf.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe


Contents of the 'Scheduled Tasks' folder
2007-05-25 20:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 18:31:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 18:32:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 18:32

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 6:35:55 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\appo3oi\My Documents\Unzipped\hijackthis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {eaa8a281-b625-473b-9720-20c89dcf0ae0} - C:\WINDOWS\system32\d3dvid.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4754700640
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\jkklkhf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: d3dvid - C:\WINDOWS\SYSTEM32\d3dvid.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kelsier
Active Member
 
Posts: 14
Joined: May 25th, 2007, 11:12 am

Unread postby John B. » May 28th, 2007, 8:20 am

Hi,

Lets hope this is the last time for Vundo.

Step 1: Upload malware to uploadmalware.com
Please go to http://www.uploadmalware.com/

Put your username in the correct box and give a link to this topic.
In the File(s) To Submit: copy and past the following (one line per box):
(You may not find some, please remember which ones are present.)
C:\WINDOWS\system32\d3dvid.dll
C:\WINDOWS\system32\divd3d.* << Note: This can be any extension. If there are multiple files try to upload as many as possible
C:\WINDOWS\system32\fhklkkj.* << Note: This can be any extension. If there are multiple files try to upload as many as possible
C:\WINDOWS\system32\jkklkhf.dll


Now click Send File and close the window.

Step 2: Run VundoFix
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the boxes (only insert the ones which were present in Step 1):
    • C:\WINDOWS\system32\d3dvid.dll
    • C:\WINDOWS\system32\divd3d.* << Note: Now you can just put the * at the end and VundoFix will remove all extensions.
    • C:\WINDOWS\system32\fhklkkj.* << Note: Now you can just put the * at the end and VundoFix will remove all extensions.
    • C:\WINDOWS\system32\jkklkhf.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby kelsier » May 30th, 2007, 8:05 pm

VundoFix V6.4.1

Checking Java version...

Scan started at 2:51:02 PM 5/26/2007

Listing files found while scanning....

C:\WINDOWS\jmnmoq.ini
C:\WINDOWS\qomnmj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\jmnmoq.ini
C:\WINDOWS\jmnmoq.ini Has been deleted!

Attempting to delete C:\WINDOWS\qomnmj.dll
C:\WINDOWS\qomnmj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Scan started at 3:12:38 PM 5/28/2007

Listing files found while scanning....


VundoFix V6.4.1

Checking Java version...

Scan started at 9:40:21 PM 5/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Scan started at 7:13:38 PM 5/30/2007

Listing files found while scanning....


Beginning removal...

Attempting to delete C:\WINDOWS\system32\d3dvid.dll
C:\WINDOWS\system32\d3dvid.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklkhf.dll
C:\WINDOWS\system32\jkklkhf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkklkhf.dll
C:\WINDOWS\system32\jkklkhf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Scan started at 7:20:31 PM 5/30/2007

Logfile of HijackThis v1.99.1
Scan saved at 8:04:24 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\appo3oi\My Documents\Unzipped\hijackthis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp37F.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {eaa8a281-b625-473b-9720-20c89dcf0ae0} - C:\WINDOWS\system32\map949.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4754700640
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\jkklkhf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: map949 - C:\WINDOWS\SYSTEM32\map949.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kelsier
Active Member
 
Posts: 14
Joined: May 25th, 2007, 11:12 am

Unread postby John B. » May 31st, 2007, 10:57 am

Hi,

It seems to be stubborn!

Step 1: Upload malware to uploadmalware.com
Please go to http://www.uploadmalware.com/

Put your username in the correct box and give a link to this topic.
In the File(s) To Submit: copy and past the following (one line per box):
(You may not find some, please remember which ones are present.)
C:\WINDOWS\SYSTEM32\949pam.* << Note: This can be any extension. If there are multiple files try to upload as many as possible
C:\WINDOWS\system32\fhklkkj.* << Note: This can be any extension. If there are multiple files try to upload as many as possible
C:\WINDOWS\system32\map949.dll
C:\WINDOWS\system32\tmp37F.tmp.dll

Now click Send File and close the window.

Step 2: Run VundoFix
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the boxes (only insert the ones which were present in Step 1):
    • C:\WINDOWS\SYSTEM32\949pam.* << Note: Now you can just put the * at the end and VundoFix will remove all extensions.
    • C:\WINDOWS\system32\fhklkkj.* << Note: Now you can just put the * at the end and VundoFix will remove all extensions.
    • C:\WINDOWS\system32\map949.dll
    • C:\WINDOWS\system32\tmp37F.tmp.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Step 3: Run ComboFix
  • Double click ComboFix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply together with C:\vundofix.txt and a fresh HJT log.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby kelsier » June 6th, 2007, 10:08 pm

hi sorry for the late reply.. i'v been very busy latley, so i'll post my log asap. there is one part i dunt understand on step 1 which is what do you mean by "give a link to this topic" on http://www.uploadmalware.com/ ?? do i copy and paste this link on the topic section?


thanks
-Jon
kelsier
Active Member
 
Posts: 14
Joined: May 25th, 2007, 11:12 am

Unread postby John B. » June 7th, 2007, 10:53 am

Hi,

That you should also send this link:
http://www.malwareremoval.com/forum/viewtopic.php?t=20472
If you've done the other steps already forget about Step 1!

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby John B. » June 11th, 2007, 3:04 pm

Hi,

Do you still need any help?

If you're really too buys it might be good to think about closing this topic. The infection you have is stubborn and it needs some effective attacks and this isn't really the way it's going to work out very well.
You can always come back of course when you have more time!

Please let me know what you think and if you want to go on cleaning the pc please post the requested logs :)

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby random/random » June 14th, 2007, 12:26 pm

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware