Jump to content

I really need help!


Recommended Posts

Although your program claims to rid computers of these evil trojan, it is not discovering it on my machine.

I hate this program, it's ruining my computer and is damn near bringing me to tears.

I've run vundo removal programs, check hundereds of forums and tried multiple techniques but nothing works! this god damn virus will not go away.

Any help would be greatly appriciated!!!

Link to post
Share on other sites

* Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Link to post
Share on other sites

Hello,

Can you rename HijackThis.exe to Analyse.exe ?

Rightclick Hijackthis.exe and choose rename.

Doubleclick Analyse.exe and post the log it creates in your next reply.

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 9:10:42 AM, on 3/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Kobian\Ez View\Remote.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\MSN Messenger\livecall.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Hijackthis\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1FCAD009-345F-4FD9-ACB0-86A8DB8CB60C} - C:\WINDOWS\system32\ddcyv.dll

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - (no file)

O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\kghsvhjl.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: MyWiki toolbar - {e22e8d11-0f3e-4d46-8fc1-7264b4d5ea01} - C:\Program Files\MyWiki\tbMyWi.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TvrRemote] "C:\Program Files\Kobian\Ez View\Remote.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\osrbvnyb.dll",setvm

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Startup: Outpost Firewall.lnk = C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: ddcyv - C:\WINDOWS\system32\ddcyv.dll

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\DERREK~1\LOCALS~1\Temp\hpdj.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\DERREK~1\APPLIC~1.\SearchToolbarCorp

C:\DOCUME~1\DERREK~1\APPLIC~1.\SearchToolbarCorp\Toolbar Vision

((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))

2007-03-08 09:09 1,153,763 ---hs---- C:\WINDOWS\system32\vycdd.bak1

2007-03-07 20:57 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys

2007-03-07 20:57 <DIR> d-------- C:\Program Files\DAEMON Tools

2007-03-07 00:49 123,412 --a------ C:\WINDOWS\system32\osrbvnyb.dll

2007-03-06 15:55 <DIR> d-------- C:\Program Files\DFPinger

2007-03-06 00:49 76,412 --a------ C:\WINDOWS\system32\yuduyahp.dll

2007-03-04 21:25 <DIR> d-------- C:\Program Files\RogueRemover

2007-03-03 20:06 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2007-03-03 19:32 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-03-03 19:32 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-03-03 19:32 <DIR> d-------- C:\Program Files\Trojan Remover

2007-03-03 19:32 <DIR> d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\Simply Super Software

2007-03-03 18:37 <DIR> d-------- C:\Program Files\mIRC

2007-03-03 13:23 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared

2007-03-03 13:23 <DIR> d-------- C:\Program Files\Agnitum

2007-03-02 18:48 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-03-02 18:41 48,660 --a------ C:\WINDOWS\system32\kghsvhjl.dll

2007-03-01 18:39 76,412 --a------ C:\WINDOWS\system32\wuwarwxx.dll

2007-02-28 13:45 76,412 --a------ C:\WINDOWS\system32\jvlwpxou.dll

2007-02-28 12:24 <DIR> d-------- C:\Program Files\Google

2007-02-28 12:21 <DIR> d-------- C:\Program Files\Lavasoft RegHance

2007-02-28 01:43 33,792 -ra------ C:\WINDOWS\NPSExec.exe

2007-02-28 01:43 <DIR> d-------- C:\Program Files\Electronic Arts

2007-02-28 01:37 258,560 --a------ C:\WINDOWS\uninst.exe

2007-02-27 22:53 <DIR> d-------- C:\Program Files\Infogrames Interactive

2007-02-27 22:37 <DIR> d-------- C:\WINDOWS\YDKJ2

2007-02-27 22:37 <DIR> d-------- C:\Program Files\ydkj volume 2

2007-02-23 20:00 76,412 --a------ C:\WINDOWS\system32\usnbelhy.dll

2007-02-23 03:43 86,016 -ra------ C:\WINDOWS\system32\CNMCP71.exe

2007-02-23 03:43 7,680 --a------ C:\WINDOWS\system32\CNMVS71.DLL

2007-02-23 03:43 124,928 --a------ C:\WINDOWS\system32\CNMLM71.DLL

2007-02-23 03:43 <DIR> d--h----- C:\BJPrinter

2007-02-23 03:07 <DIR> d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\Gtek

2007-02-23 03:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek

2007-02-22 20:43 <DIR> d-------- C:\Program Files\MyWiki

2007-02-22 20:42 <DIR> d-------- C:\Program Files\IE7pro

2007-02-22 20:42 <DIR> d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\IE7pro

2007-02-22 18:11 <DIR> d-------- C:\Program Files\Sony Interactive

2007-02-22 15:56 <DIR> d-------- C:\Program Files\LimeWire

2007-02-22 15:55 <DIR> d-------- C:\Program Files\JavaSoft

2007-02-22 11:15 88,340 --a------ C:\WINDOWS\system32\uvwwrulr.exe

2007-02-21 12:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-02-21 00:02 281,652 --------- C:\WINDOWS\system32\ddcyv.dll

2007-02-20 15:41 <DIR> d-------- C:\DOCUME~1\DERREK~1\Shared

2007-02-20 15:39 <DIR> d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\FrostWire

2007-02-08 20:33 <DIR> d-------- C:\Program Files\Hewlett-Packard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-08 09:16 48660 --a------ C:\WINDOWS\system32\kkflgtgo.dll

2007-03-08 02:07 -------- d---s---- C:\Program Files\xfire

2007-03-08 02:00 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\xfire

2007-03-05 00:45 -------- d-------- C:\Program Files\bitcomet

2007-03-05 00:28 -------- d-------- C:\Program Files\mopid

2007-03-02 18:58 -------- d-------- C:\Program Files\lavasoft

2007-03-02 18:58 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\lavasoft

2007-02-28 18:32 -------- d--h----- C:\Program Files\installshield installation information

2007-02-28 12:13 -------- d-------- C:\Program Files\Common Files\wise installation wizard

2007-02-28 01:56 1295 --a--c--- C:\WINDOWS\ereg.dat

2007-02-28 01:55 -------- d-------- C:\Program Files\maxis

2007-02-28 01:34 -------- d-------- C:\Program Files\yahoo!

2007-02-26 23:12 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\ahead

2007-02-26 22:22 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\macromedia

2007-02-26 21:28 -------- d-------- C:\Program Files\xbc

2007-02-26 17:54 -------- d-------- C:\Program Files\the weather channel fw

2007-02-22 19:45 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\teamspeak2

2007-02-21 12:21 -------- d-------- C:\Program Files\spywareblaster

2007-02-14 00:02 -------- d---s---- C:\DOCUME~1\DERREK~1\APPLIC~1\microsoft

2007-02-07 16:58 194680 --a------ C:\DOCUME~1\DERREK~1\APPLIC~1\gdipfontcachev1.dat

2007-02-05 06:00 -------- d-------- C:\Program Files\msn messenger

2007-01-29 20:53 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\adobe

2007-01-29 15:55 -------- d-------- C:\Program Files\dvd shrink

2007-01-29 15:55 -------- d-------- C:\Program Files\dvd decrypter

2007-01-28 15:27 -------- d-------- C:\Program Files\divx

2007-01-25 19:19 524288 --a------ C:\WINDOWS\system32\divxsm.exe

2007-01-25 19:19 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys

2007-01-25 19:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2007-01-25 19:19 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2007-01-25 19:19 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2007-01-25 19:19 129784 --------- C:\WINDOWS\system32\pxafs.dll

2007-01-25 19:19 118520 --------- C:\WINDOWS\system32\pxinsi64.exe

2007-01-25 19:19 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe

2007-01-25 19:18 200704 --a--c--- C:\WINDOWS\system32\ssldivx.dll

2007-01-25 19:18 1044480 --a--c--- C:\WINDOWS\system32\libdivx.dll

2007-01-25 19:13 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-01-25 19:13 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-01-25 19:13 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-01-25 19:13 738906 --a------ C:\WINDOWS\system32\divx.dll

2007-01-25 19:13 73728 --a------ C:\WINDOWS\system32\dpl100.dll

2007-01-25 19:13 593920 --a--c--- C:\WINDOWS\system32\dpugui11.dll

2007-01-25 19:13 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll

2007-01-25 19:13 53248 --a--c--- C:\WINDOWS\system32\dpugui10.dll

2007-01-25 19:13 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll

2007-01-25 19:13 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll

2007-01-25 19:13 294912 --a--c--- C:\WINDOWS\system32\dpu10.dll

2007-01-25 19:13 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll

2007-01-23 11:51 -------- d-------- C:\Program Files\microsoft windows vista upgrade advisor

2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll

2007-01-14 18:32 -------- d-------- C:\Program Files\irfanview

2007-01-14 17:08 -------- d-------- C:\DOCUME~1\DERREK~1\APPLIC~1\adobeum

2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll

2006-12-12 10:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll

2006-12-12 10:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"

"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""

"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"

"TvrRemote"="\"C:\\Program Files\\Kobian\\Ez View\\Remote.exe\""

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"

"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\system32\\osrbvnyb.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"

"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^derrek turnabout^Start Menu^Programs^Startup^Adobe Gamma.lnk]

"path"="C:\\Documents and Settings\\derrek turnabout\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "

"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^derrek turnabout^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]

"path"="C:\\Documents and Settings\\derrek turnabout\\Start Menu\\Programs\\Startup\\Yahoo! Widget Engine.lnk"

"backup"="C:\\WINDOWS\\pss\\Yahoo! Widget Engine.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\Yahoo!\\YAHOO!~1\\YAHOOW~1.EXE "

"item"="Yahoo! Widget Engine"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="avgas"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Ares"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="CLIStart"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Ati2mdxx"

"hkey"="HKLM"

"command"="Ati2mdxx.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="atiptaxx"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NMBgMonitor"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ctfmon"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\system32\\ctfmon.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="CTSysVol"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe\" /r"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DeadAIM"

"hkey"="HKLM"

"command"="\"rundll32.exe\" \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="hpotdd01"

"hkey"="HKLM"

"command"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="HPWuSchd"

"hkey"="HKLM"

"command"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="hpztsb08"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MsnMsgr"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="outpost"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe\" /waitservice"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="feedback"

"hkey"="HKLM"

"command"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Rundll32 P17"

"hkey"="HKLM"

"command"="Rundll32 P17.dll,P17Helper"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Steam"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Trjscan"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Trojan Remover\\Trjscan.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TvrSchedule]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Schedule"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Kobian\\Ez View\\Schedule.exe\""

"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="UpdReg"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\UpdReg.EXE"

"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"appinit_dlls"="wbsys.dll"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyv

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV

NetworkService REG_MULTI_SZ DnsCache

DcomLaunch REG_MULTI_SZ DcomLaunchTermService

rpcss REG_MULTI_SZ RpcSs

imgsvc REG_MULTI_SZ StiSvc

termsvcs REG_MULTI_SZ TermService

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{BD4C2401-5B05-4CD9-A415-6F879BF78E08}.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

********************************************************************

Completion time: 07-03-08 9:18:33

thanks for the help!!!

Link to post
Share on other sites

Please download VundoFix.exe to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Link to post
Share on other sites

ohh i've had that program for a couple weeks now... it usually finds the virus but it always comes back. in fact, i ran it this morning and removed about 6 files.. when i came to this board i got the winantivirus pro 2007 pop-up.

this is a dilly of virus!!

Link to post
Share on other sites

ok you were right, of course! my version was outdated. here are the log files

VundoFix V6.3.15

Checking Java version...

Java version is 1.5.0.3

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8

Old versions of java are exploitable and should be removed.

Scan started at 12:37:27 PM 3/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbwcpndw.dll

C:\WINDOWS\system32\ddcyv.dll

C:\WINDOWS\system32\lstxfkcb.dll

C:\WINDOWS\system32\vycdd.bak1

C:\WINDOWS\system32\vycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbwcpndw.dll

C:\WINDOWS\system32\bbwcpndw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.dll

C:\WINDOWS\system32\ddcyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lstxfkcb.dll

C:\WINDOWS\system32\lstxfkcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.bak1

C:\WINDOWS\system32\vycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini

C:\WINDOWS\system32\vycdd.ini Has been deleted!

Performing Repairs to the registry.

Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyv.dll

C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Performing Repairs to the registry.

Done!

hijack

Logfile of HijackThis v1.99.1

Scan saved at 2:38:13 PM, on 3/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Kobian\Ez View\Remote.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Hijackthis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {C185C059-B84C-4402-A250-8A0C50ADE358} - C:\WINDOWS\system32\ddcyv.dll (file missing)

O2 - BHO: (no name) - {F0360AD8-BDB9-4712-B307-1DF9049109C9} - C:\WINDOWS\system32\dyhjebku.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: MyWiki toolbar - {e22e8d11-0f3e-4d46-8fc1-7264b4d5ea01} - C:\Program Files\MyWiki\tbMyWi.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TvrRemote] "C:\Program Files\Kobian\Ez View\Remote.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\osrbvnyb.dll",setvm

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Startup: Outpost Firewall.lnk = C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\DERREK~1\LOCALS~1\Temp\hpdj.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

thank you!

Link to post
Share on other sites

Hello again,

Please go to add/remove programs and uninstall MyWiki, if found.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {C185C059-B84C-4402-A250-8A0C50ADE358} - C:\WINDOWS\system32\ddcyv.dll (file missing)

O2 - BHO: (no name) - {F0360AD8-BDB9-4712-B307-1DF9049109C9} - C:\WINDOWS\system32\dyhjebku.dll

O3 - Toolbar: MyWiki toolbar - {e22e8d11-0f3e-4d46-8fc1-7264b4d5ea01} - C:\Program Files\MyWiki\tbMyWi.dll

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\dyhjebku.dll<===file

C:\Program Files\MyWiki <===folder

Exit Explorer, and reboot as normal afterwards.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Enviroinment (JRE) 6, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (12.6 MB).
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586.exe to install the newest version.

Post back a new hijackthis log.

Link to post
Share on other sites

Thank you justice! I am currently home from college for spring break so as soon I as return I will continue with that step. I do have one question though, after I remove the wikipedia toolbar add-in for ie7, will I be able to reinstall it?

Link to post
Share on other sites

  • 2 weeks later...

okay justice, so far so good! i completed those last steps and here is my log:

Logfile of HijackThis v1.99.1

Scan saved at 11:11:35 AM, on 3/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Kobian\Ez View\Remote.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: MyWiki toolbar - {e22e8d11-0f3e-4d46-8fc1-7264b4d5ea01} - C:\Program Files\MyWiki\tbMyWi.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TvrRemote] "C:\Program Files\Kobian\Ez View\Remote.exe"

O4 - HKLM\..\Run: [DeadAIM] "rundll32.exe" "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Startup: Outpost Firewall.lnk = C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll (file missing)

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n028p/EN/install/gtdownlr.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\DERREK~1\LOCALS~1\Temp\hpdj.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

Compliment!\

sarah

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.