Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Please help: See Hijackthis.log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Please help: See Hijackthis.log

Unread postby skg » November 27th, 2007, 11:29 am

Hi Gary,

Here is the latest OTMoveIt log.


    DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkhhh.dll
    C:\WINDOWS\system32\jkhhh.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\jkhhh.dll scheduled to be moved on reboot.

    Created on 11-26-2007 20:39:59

and Kaspersky log

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    2007-11-27 07:23
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 27/11/2007
    Kaspersky Anti-Virus database records: 466257
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    Y:\

    Scan Statistics:
    Total number of scanned objects: 54147
    Number of viruses found: 10
    Number of infected objects: 22
    Number of suspicious objects: 0
    Duration of the scan process: 01:33:13

    Infected Object Name / Virus Name / Last Action
    C:\4da9894165d4025a83db883f803c\%temp%dd_msxml_retMSI.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11182007-234409.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\Temp\Perflib_Perfdata_22c.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\Temp\Perflib_Perfdata_a68.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\DEVSQLSVC\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\skg\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{ED855BF0-8F68-453B-8A29-00C084A98E76} Object is locked skipped
    C:\Documents and Settings\skg\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\skg\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\skg\ntuser.dat.LOG Object is locked skipped
    C:\oracle\product\10.1.0\Client_1\oramts\trace\OracleMTSRecoveryService(588).trc Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
    C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\STAGE.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\STAGE_log.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_70.trc Object is locked skipped
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLAGENT.OUT Object is locked skipped
    C:\Program Files\Symantec AntiVirus\SAVRT\0429NAV~.TMP Object is locked skipped
    C:\qoobox\Quarantine\catchme2007-11-22_235722.43.zip/ddayw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
    C:\qoobox\Quarantine\catchme2007-11-22_235722.43.zip ZIP: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP82\A0014696.exe Infected: Trojan.Win32.Obfuscated.kp skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP82\A0014697.exe Infected: Trojan.Win32.Obfuscated.kp skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014812.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014859.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014936.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014973.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bto skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014973.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP87\A0015155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP87\A0015160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP89\A0015253.exe Infected: Trojan-Downloader.Win32.PurityScan.ey skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP91\A0015480.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP91\A0015481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP91\A0015482.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP91\A0015520.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP94\A0015720.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
    C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP94\change.log Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped
    C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000000B.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000000B.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000006.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000006.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000003.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000003.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000E.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000E.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000007.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000007.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000002.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000002.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000003D.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000003D.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000003.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000003.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\00000016.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\00000016.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000G.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000G.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_paz02sec920_mp_locationmanager\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_paz02sec920_mp_locationmanager\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000C.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000C.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000U.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000U.que Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000008.msg Object is locked skipped
    C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000008.que Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\txcemhuv.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.h skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\accbwxvo.dll Infected: Trojan.Win32.BHO.zo skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\oukwodny.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\pkuqrmbu.dll Infected: Trojan.Win32.BHO.zo skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\xfmrgbvr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

    Scan process completed.
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am
Top
Advertisement
Register to Remove

Re: Please help: See Hijackthis.log

Unread postby skg » November 27th, 2007, 11:31 am

This the HJT log...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:30, on 2007-11-27
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\FredFlintstone.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: {3da2b2a0-9b70-1349-7fd4-18dbb3519a21} - {12a9153b-bd81-4df7-9431-07b90a2b2ad3} - C:\WINDOWS\system32\ydwhbmir.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {F0D8CF67-90B2-436C-BCD4-4759EAA5D9D9} - C:\WINDOWS\system32\jkhhh.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://daz02app257.corp.homestore.net
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7337 bytes
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am
Top

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 27th, 2007, 12:27 pm

OK, seems the jkhhh.dll file is one stubborn beastie and doesn't want to be removed, so we're gonna have to try being a bit more forceful next time. Not to worry, there are still tools available that should help us to get rid of it.

First I need to see what else might be on your computer, as by the look of your HJT log the infection has regenerated (at least in part it has).

Please run Combofix again and post me the log.

Stay offline unless posting me the logs or downloading any tools I ask you to use.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Please help: See Hijackthis.log

Unread postby skg » November 27th, 2007, 11:59 pm

Hi Gary,

It's good to hear that we are coming close to fixing the issue.
Here is the Conbofix log
    ComboFix 07-11-19.3 - skg 2007-11-27 19:45:40.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1404 [GMT -8:00]
    Running from: C:\Documents and Settings\skg\Desktop\ComboFix.exe
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\hhhkj.ini
    C:\WINDOWS\system32\hhhkj.ini2
    C:\WINDOWS\system32\jkhhh.dll

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
    .

    2007-11-23 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-21 20:16 1,165 --a------ C:\WINDOWS\mozver.dat
    2007-11-21 17:14 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-21 17:00 <DIR> d-------- C:\VundoFix Backups
    2007-11-19 23:26 0 --a------ C:\WINDOWS\nsreg.dat
    2007-11-19 21:21 <DIR> d-------- C:\Documents and Settings\skg\Application Data\Apple Computer
    2007-11-19 00:10 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
    2007-11-19 00:06 <DIR> d-------- C:\WINDOWS\DTS9_KB934458_ENU
    2007-11-19 00:04 <DIR> d-------- C:\WINDOWS\NS9_KB934458_ENU
    2007-11-18 23:53 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU
    2007-11-18 23:43 <DIR> d-------- C:\Program Files\Windows Defender
    2007-11-18 21:04 <DIR> d-------- C:\Documents and Settings\DEVSQLSVC\Application Data\Yahoo!
    2007-11-16 19:40 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-11-16 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-11-06 15:18 <DIR> d-------- C:\WINDOWS\ms
    2007-11-02 21:51 <DIR> d-------- C:\Documents and Settings\skg\Application Data\IsolatedStorage

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-28 03:52 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-27 05:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-20 05:25 --------- d-----w C:\Program Files\QuickTime
    2007-11-19 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2007-11-19 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-11-19 08:11 --------- d-----w C:\Program Files\Microsoft SQL Server
    2007-10-23 03:46 --------- d-----w C:\Program Files\Juniper Networks
    2007-10-23 03:46 --------- d-----w C:\Documents and Settings\skg\Application Data\Juniper Networks
    2007-10-19 17:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
    2007-10-02 23:51 63,024 ----a-w C:\WINDOWS\system32\drivers\NEOFLTR_600_12141.sys
    2007-10-02 23:32 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-22_10.25.08.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-05-10 18:25:40 14,677,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE
    + 2007-11-24 23:05:20 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    - 2007-11-06 22:36:31 268,600 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2007-11-24 18:07:48 287,704 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2007-11-24 22:15:25 81,472 ----a-w C:\WINDOWS\system32\txcemhuv.dll
    + 2007-11-27 04:45:33 80,960 ----a-w C:\WINDOWS\system32\ydwhbmir.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12a9153b-bd81-4df7-9431-07b90a2b2ad3}]
    2007-11-26 20:45 80960 --a------ C:\WINDOWS\system32\ydwhbmir.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04]
    "systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 13:27]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 02:10]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsMenu"= 1 (0x1)
    C:\WINDOWS\system32\NavLogon.dll 2006-06-15 00:40 43760 C:\WINDOWS\system32\NavLogon.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhh.dll

    R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
    R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
    R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
    R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
    R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
    R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
    R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys
    R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys
    R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
    R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
    S3 dkab_device;dkab_device;C:\WINDOWS\system32\DKabcoms.exe -service
    S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-17 03:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-28 03:37:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-27 19:52:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
    "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
    .
    Completion time: 2007-11-27 19:53:39 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-23 14:09
    C:\ComboFix3.txt ... 2007-11-23 00:02
    .
    --- E O F ---

and the HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:55, on 2007-11-27
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\FredFlintstone.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: {3da2b2a0-9b70-1349-7fd4-18dbb3519a21} - {12a9153b-bd81-4df7-9431-07b90a2b2ad3} - C:\WINDOWS\system32\ydwhbmir.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://daz02app257.corp.homestore.net
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7226 bytes

Thanks.
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am
Top

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 28th, 2007, 4:20 am

OK, logs look better than I expected, but just want to make sure we get everything so I'm using a sledgehammer on what's left.

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This programme is for use on Windows XP 32 bit systems only, and must be run from an account with Administrator priviledges.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Code: Select all
Files to delete:

C:\WINDOWS\system32\txcemhuv.dll
C:\WINDOWS\system32\ydwhbmir.dll
C:\WINDOWS\system32\jkhhh.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

NEXT

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12a9153b-bd81-4df7-9431-07b90a2b2ad3}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

  • Click Format and ensure Wordwrap is unchecked.
  • Save as RegFix2.reg
  • Save as file type All Files or it won't work.
  • Now double click on RegFix2.reg to run it.
  • You will be prompted to allow it to merge with the Registry. Allow it please.

Now please run Combofix again (hopefully for the last time) and send me the log please, along with a new HJT log.

Summary of the logs I need from you in your next post:
  • Avenger log (C:\Avenger.txt)
  • Combofix log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Please help: See Hijackthis.log

Unread postby Gary R » December 4th, 2007, 8:05 am

Due to lack of response this topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 168 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index