Jump to content

Please Help! Trojans


hsj0660

Recommended Posts

Here is my MBAM log

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 6.0.6000

11/27/2008 4:34:02 PM

mbam-log-2008-11-27 (16-34-02).txt

Scan type: Quick Scan

Objects scanned: 50757

Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Windows\System32\wovajeba.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\Windows\System32\janohaya.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmb145fa1b (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fokululohi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\janohaya.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\janohaya.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\wovajeba.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Windows\System32\abejavow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.;******************************************************************

********************************************************************************

*

********************************

ANALYSIS: 2008-11-27 19:35:04

PROTECTIONS: 2

MALWARE: 48

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.1603.0 No No

Norton Antivirus Internet Security 2007 14.1.2 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@trafficmp[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@atdmt[2].txt

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@tradedoubler[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@247realmedia[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@fastclick[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@tribalfusion[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@mediaplex[1].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@linksynergy[2].txt

00145869 Cookie/SpyLog TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@spylog[2].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@clickbank[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@com[2].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@yadro[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@yadro[1].txt

00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@webpower[2].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@xiti[1].txt

00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@hotlog[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@toplist[2].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@statcounter[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@statcounter[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ad.yieldmanager[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@apmebf[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@burstnet[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www.burstbeacon[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adtech[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@server.iad.liveperson[3].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@advertising[2].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@media.adrevolver[3].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@zedo[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@zedo[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@adrevolver[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adrevolver[1].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adultfriendfinder[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@go[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@target[1].txt

00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www2.addfreestats[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@atwola[1].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www6.addfreestats[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ads.addynamix[2].txt

00431194 Adware/AdsRevenue Adware No 0 Yes No C:\Users\Jef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5BFT16C6\mm[1].js

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Users\Jef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S2ANNH1U\freescan[1].htm

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adserver.easyad[1].txt

02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adsrevenue[2].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location $dC5L

;===============================================================================

================================================================================

=

===================

No C:\Windows\haraisys32.exe $dC5L

No C:\Windows\System32\ALZZip.BIN $dC5L

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description $dC5L

;===============================================================================

================================================================================

=

===================

184379 MEDIUM MS08-001 $dC5L

182048 HIGH MS07-069 $dC5L

176382 HIGH MS07-057 $dC5L

170906 HIGH MS07-045 $dC5L

164913 HIGH MS07-033 $dC5L

160623 HIGH MS07-027 $dC5L

;===============================================================================

================================================================================

=

===================

And here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:12 PM, on 11/27/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\ATK Media\DMedia.exe

C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\iTunes\iTunes.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Sports Interactive\Worldwide Soccer Manager 2009\wsm.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: (no name) - {3188e621-912a-4c89-a36c-f901b6a9118c} - C:\Windows\system32\fowabuhi.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [buddyBuddy] C:\Program Files\BuddyBuddy\BuddyBuddy\BuddyBuddy.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: MultiFrame.lnk = ?%ProgramFiles%\ASUS\Asus MultiFrame\MultiFrame.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O13 - Gopher Prefix:

O15 - Trusted Zone: *.buddybuddy.co.kr

O15 - Trusted Zone: *.folderplus.com

O15 - Trusted Zone: *.nate.com

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {04670ED5-3464-4A83-BE1F-24E6FFA41928} (Einsdigital Music Web Player Control) - http://dl.sayclub.com/sayclub/sayctl/p3ed.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {893BE5FA-2E09-48C7-801B-25C986A0AC5F} (FMoaLoad.Starter) - http://filemoa.co.kr/fmoaload.cab

O16 - DPF: {8BE9ABE8-963F-4990-9DEC-77A3C210C33B} (InnoFD Ver.5 (REengineered)) - http://popcorn.shootgoal.com/Innorix/Diskpopcorn.cab

O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg7.cyworld.com/ImageUpload/CyPi...33.cab?20081124

O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab

O16 - DPF: {A968671F-9927-4E04-9D12-300CD058811C} (EnDiskControlCtrl Class) - http://update.endisk.com/EnUpdate/EnDiskControl2.cab

O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab

O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - http://user.buddybuddy.co.kr/cab/BBNPort.cab

O16 - DPF: {B128EFF9-0B1C-4C65-A162-28165A3A0A18} (MakeShop Secure Control) - http://ssl.makeshop.co.kr/ssl/MSecure.cab

O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab

O16 - DPF: {CBDFD14F-64C3-4ACE-B80E-4A3927FCA361} (File0u File Share Control 4) - http://www.file0u.com/mmsv/File0uControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.afreeca.com:8057/AFCStarter.cab

O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\Windows\system32\mebedelu.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--

End of file - 12616 bytes

I think

O4 - HKLM\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s

This thing is the problem and it keeps multiplying and popping back up each time i remove it! Please help

Thank you

c:\Windows\System32\janohaya.dll (Trojan.BHO) -> Delete on reboot.

Here is my Activescan log

Link to post
Share on other sites

OH Sorry I think i acciedently typed in my thoughts in the middle of the two logs where MBAM and Activescan cross

here is the edited version

MBAM LOG

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 6.0.6000

11/27/2008 4:34:02 PM

mbam-log-2008-11-27 (16-34-02).txt

Scan type: Quick Scan

Objects scanned: 50757

Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Windows\System32\wovajeba.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\Windows\System32\janohaya.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmb145fa1b (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fokululohi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\janohaya.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\janohaya.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\wovajeba.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Windows\System32\abejavow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\Windows\System32\janohaya.dll (Trojan.BHO) -> Delete on reboot.

ACTIVESCAN LOG

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-27 19:35:04

PROTECTIONS: 2

MALWARE: 48

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.1603.0 No No

Norton Antivirus Internet Security 2007 14.1.2 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@trafficmp[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@atdmt[2].txt

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@tradedoubler[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@247realmedia[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@fastclick[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@tribalfusion[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@mediaplex[1].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@linksynergy[2].txt

00145869 Cookie/SpyLog TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@spylog[2].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@clickbank[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@com[2].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@yadro[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@yadro[1].txt

00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@webpower[2].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@xiti[1].txt

00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@hotlog[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@toplist[2].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@statcounter[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@statcounter[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ad.yieldmanager[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@apmebf[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@burstnet[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www.burstbeacon[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adtech[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@server.iad.liveperson[3].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@advertising[2].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@media.adrevolver[3].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@zedo[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@zedo[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\Low\jef@adrevolver[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adrevolver[1].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adultfriendfinder[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@go[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@target[1].txt

00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www2.addfreestats[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@atwola[1].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@www6.addfreestats[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@ads.addynamix[2].txt

00431194 Adware/AdsRevenue Adware No 0 Yes No C:\Users\Jef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5BFT16C6\mm[1].js

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Users\Jef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S2ANNH1U\freescan[1].htm

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adserver.easyad[1].txt

02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Users\Jef\AppData\Roaming\Microsoft\Windows\Cookies\jef@adsrevenue[2].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location $dC5L

;===============================================================================

================================================================================

=

===================

No C:\Windows\haraisys32.exe $dC5L

No C:\Windows\System32\ALZZip.BIN $dC5L

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description $dC5L

;===============================================================================

================================================================================

=

===================

184379 MEDIUM MS08-001 $dC5L

182048 HIGH MS07-069 $dC5L

176382 HIGH MS07-057 $dC5L

170906 HIGH MS07-045 $dC5L

164913 HIGH MS07-033 $dC5L

160623 HIGH MS07-027 $dC5L

;===============================================================================

================================================================================

=

===================

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:12 PM, on 11/27/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\ATK Media\DMedia.exe

C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\iTunes\iTunes.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Sports Interactive\Worldwide Soccer Manager 2009\wsm.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: (no name) - {3188e621-912a-4c89-a36c-f901b6a9118c} - C:\Windows\system32\fowabuhi.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [buddyBuddy] C:\Program Files\BuddyBuddy\BuddyBuddy\BuddyBuddy.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: MultiFrame.lnk = ?%ProgramFiles%\ASUS\Asus MultiFrame\MultiFrame.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O13 - Gopher Prefix:

O15 - Trusted Zone: *.buddybuddy.co.kr

O15 - Trusted Zone: *.folderplus.com

O15 - Trusted Zone: *.nate.com

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {04670ED5-3464-4A83-BE1F-24E6FFA41928} (Einsdigital Music Web Player Control) - http://dl.sayclub.com/sayclub/sayctl/p3ed.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {893BE5FA-2E09-48C7-801B-25C986A0AC5F} (FMoaLoad.Starter) - http://filemoa.co.kr/fmoaload.cab

O16 - DPF: {8BE9ABE8-963F-4990-9DEC-77A3C210C33B} (InnoFD Ver.5 (REengineered)) - http://popcorn.shootgoal.com/Innorix/Diskpopcorn.cab

O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg7.cyworld.com/ImageUpload/CyPi...33.cab?20081124

O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab

O16 - DPF: {A968671F-9927-4E04-9D12-300CD058811C} (EnDiskControlCtrl Class) - http://update.endisk.com/EnUpdate/EnDiskControl2.cab

O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab

O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - http://user.buddybuddy.co.kr/cab/BBNPort.cab

O16 - DPF: {B128EFF9-0B1C-4C65-A162-28165A3A0A18} (MakeShop Secure Control) - http://ssl.makeshop.co.kr/ssl/MSecure.cab

O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab

O16 - DPF: {CBDFD14F-64C3-4ACE-B80E-4A3927FCA361} (File0u File Share Control 4) - http://www.file0u.com/mmsv/File0uControl.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.afreeca.com:8057/AFCStarter.cab

O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\Windows\system32\mebedelu.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--

End of file - 12616 bytes

THANK YOU!!!!

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully

  2. If you don't understand something, stop and ask! Don't keep going on.

  3. Please do not run any other tools or scans whilst I am helping you

  4. Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

Fix With HJT

Please note:- Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

Close all other windows and then start HiJack This

Click Do A System Scan Only

When it has finished scanning put a check next to the following lines IF still present

O2 - BHO: (no name) - {3188e621-912a-4c89-a36c-f901b6a9118c} - C:\Windows\system32\fowabuhi.dll (file missing)

O4 - HKLM\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s

O4 - HKUS\S-1-5-19\..\Run: [fokululohi] Rundll32.exe "C:\Windows\system32\hunetado.dll",s (User 'LOCAL SERVICE')

O20 - AppInit_DLLs: C:\Windows\system32\mebedelu.dll

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

- Close ALL open windows (especially Internet Explorer!)-

Now click Fix checked

Click yes to any prompts

Close HijackThis

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

    Please note:- Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.