Free Malware Removal Forum

[Jadecc]

this should be fun, i've accumulated a whole LOT of crap in the past few years, heard about hijack this but never actually used it till now, but pop-ups keep stopping my typing and i can't even go to most websites lol..

heres the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:01 PM, on 3/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\TEMP\C8B9.tmp
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\JWord\Plugin2\jwdsrch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\winlogqn.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Curtis James\Application Data\gadcom\gadcom.exe
C:\Documents and Settings\Curtis James\Application Data\Twain\Twain.exe
C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\_A00F688178BB.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\448.exe
C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\w01sfjctvn1.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\VnrPack\VnrPack27.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.jword.jp/jwd_sb_srchasst.htm?ielang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.jword.jp/jwd_sb_srchcust.htm?ielang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: MyUrlSearchHook Class - {2ACECADE-0BC7-4C6F-95CF-A221CC161B52} - C:\PROGRA~1\JWord\Plugin2\jwdsrch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: {95cbfb86-9b40-0699-6284-07dc918e6246} - {6426e819-cd70-4826-9960-04b968bfbc59} - C:\WINDOWS\system32\hcljoy.dll
O2 - BHO: (no name) - {bda8e2f8-5b0a-4840-8fb4-a2e413173809} - C:\WINDOWS\system32\towihule.dll
O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Yahoo!????? - {AEF44653-C059-42CB-A5B7-41C640DA4A67} - C:\Program Files\Yahoo!J\Toolbar\7_0_0_12\Modules\YahooToolBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [jwdsrch] C:\Program Files\JWord\Plugin2\jwdsrch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\winlogqn.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [vukivatafi] Rundll32.exe "C:\WINDOWS\system32\nadovose.dll",s
O4 - HKLM\..\Run: [CPM1f64ccdb] Rundll32.exe "c:\windows\system32\josoyove.dll",a
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Curtis James\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Curtis James\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [A00F688178BB.exe] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\_A00F688178BB.exe
O4 - HKCU\..\Run: [VnrPack25] "C:\Program Files\VnrPack\VnrPack25.exe"
O4 - HKCU\..\Run: [GetModule37] C:\Program Files\GetModule\GetModule37.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\winlogqn.exe
O4 - HKCU\..\Run: [qcrvfvrv332m7s6t6x] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\ztpih1i8i19.exe
O4 - HKCU\..\Run: [us33f65snszvdpptovr46ztdk6ykuj09ydc4153q] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\rg4n2eq.exe
O4 - HKCU\..\Run: [ykmhnwcse4isdjxswrlj0znpeexyx7c2odld8p1m0qiu] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\ztkzesr.exe
O4 - HKCU\..\Run: [uh284kr9old27vlrmgiwnmv] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\jyqbbz.exe
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0488609999-8932161726-060938295-2156\service.exe
O4 - HKCU\..\Run: [yq2pzemj3sv7wrok] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\q95copk.exe
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe
O4 - HKCU\..\Run: [qnktbruxdcxkdpahqb9vr] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\xbo1amg6.exe
O4 - HKCU\..\Run: [hiuu4wr9ii5z9k7m7mcp4jievw6o25b7d85gyeerqulw2zbh] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\du3gmijyw.exe
O4 - HKCU\..\Run: [hwcu0rr9e] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\gpexg8ba9e4.exe
O4 - HKCU\..\Run: [i6sfv8b1ifq7yn8dgfa9ng6dpc8e0yr] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\x17gvlo.exe
O4 - HKCU\..\Run: [fl1j41dtvglzrikzwnzuixo757t7sx5trxm1532s] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\cm5x4r97q2.exe
O4 - HKCU\..\Run: [ks5drcpuivpclb4oa6qlc15fd] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\bvmz9wvpb6.exe
O4 - HKCU\..\Run: [w5v84xn8dgl83wt9rs0gd5v1vgq4ujebk4f4gp2] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\rxxoasvrd8.exe
O4 - HKCU\..\Run: [to32k3lpagfdm11zfhlsh6k5oyaolqbwesga] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\iumz3lhyzi.exe
O4 - HKCU\..\Run: [m9p6m4myyhvhv266txz2xrmcon38a3j5w5cg6] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\gprs34dst3.exe
O4 - HKCU\..\Run: [vnc6bf2iadknnnednvgvhzlhzxqnq77em85ffcoayttiyee8] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\qrohycol.exe
O4 - HKCU\..\Run: [e8lgnfxrccgcyzftk1dsjbi6kl5gi4zxvipt793fmpyfi1] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\jjcz4g.exe
O4 - HKCU\..\Run: [lrg1fchwk7piu2ru2pqephxxaeotemqy] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\ha8yja.exe
O4 - HKCU\..\Run: [pc8p5nq27fotpmrpvlu] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\a7pk3p3g3b.exe
O4 - HKCU\..\Run: [hk8nd9gg2iic16b0u49iqby3] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\rxgj92b.exe
O4 - HKCU\..\Run: [jukagabozb0ufe] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\drlop23d.exe
O4 - HKCU\..\Run: [nir9z50k1e17p] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\lvxn9xcm.exe
O4 - HKCU\..\Run: [zlvtloxifuwcp4ze3jkxuxdtxn6c25eoazizcyiqwfjipiv9cq] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\w01sfjctvn1.exe
O4 - HKCU\..\Run: [abrbz99lehgd4x0u] C:\DOCUME~1\CURTIS~1\LOCALS~1\Temp\t13ifq.exe
O4 - HKCU\..\Run: [VnrPack27] "C:\Program Files\VnrPack\VnrPack27.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: JWord ‚ŃTƒCƒgŒŸõ - res://C:\PROGRA~1\JWord\Plugin2\jwdsrch.dll/300
O8 - Extra context menu item: Yahoo!ŒŸõ‚ÅŒŸõ - res://C:\Program Files\Yahoo!J\Toolbar\7_0_0_12\Modules\YahooToolBar.dll/script_yahoo.htm
O8 - Extra context menu item: Yahoo!ƒc[ƒ‹ƒo[‚ɒljÁ - res://C:\Program Files\Yahoo!J\Toolbar\7_0_0_12\Modules\YahooToolBar.dll/script_search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: JWord ƒvƒ‰ƒOƒCƒ“ - {34d67ed2-c837-4627-838c-2264e347d291} - http://www.jword.jp/intro/?partner=AP&t ... ton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord ƒvƒ‰ƒOƒCƒ“‚ɂ‚¢‚Ä - {34d67ed2-c837-4627-838c-2264e347d291} - http://www.jword.jp/intro/?partner=AP&t ... ton&pver=2 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B8FA14E5-8AE7-452C-AA3B-23C32388CDA0} - C:\PROGRA~1\JWord\Plugin2\JwdPH.dll
O9 - Extra 'Tools' menuitem: JWord ƒvƒ‰ƒOƒCƒ“‚̐ݒè... - {B8FA14E5-8AE7-452C-AA3B-23C32388CDA0} - C:\PROGRA~1\JWord\Plugin2\JwdPH.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\curtis~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\curtis~1\locals~1\temp\ntdll64.dll
O11 - Options group: [jwdsearch] JWord ƒvƒ‰ƒOƒCƒ“
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3963963250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3963956812
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O20 - AppInit_DLLs: efh.dll C:\WINDOWS\system32\gabufato.dll vweepn.dll aastdl.dll c:\windows\system32\josoyove.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: __c00DEE0 - C:\WINDOWS\system32\__c00DEE0.dat
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\josoyove.dll
O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\josoyove.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Connections NetmanCryptSvc (NetmanCryptSvc) - Unknown owner - c:\xltwpuh.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler ScheduleHTTPFilter (schedulehttpfilter) - Unknown owner - c:\wxjnssm.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 14204 bytes

[NonSuch]

I hate to be the bearer of bad news but one or more of the identified infections on this system is a Backdoor Trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, this system is afflicted with other infections. Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system.

Prior to reformatting the system, the hard drive could be removed and attached to another system as a "slave," thereby allowing you to remove and salvage your data files. No programs or executable files should be saved as they would likely be infected, and all data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted. If you are not comfortable performing this procedure yourself, we would advise you to take the computer to a reliable, local, computer repair shop and have them do the work for you.

Should you have any questions, please feel free to ask.

These postings are provided "AS IS" with no warranties, and confer no rights.

[Jadecc]

hahaha leave it to me to completely destroy my computer XD oh well, i will just have to wipe it clean thank you for ur advice ^^

[NonSuch]

You're welcome. Sorry we didn't have better news for you.

As it appears this issue will be resolved by a reformat, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal