Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijackthis.log

Started by batata , Apr 13 2007 01:19 AM

  • Please log in to reply
35 replies to this topic

#1 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 13 April 2007 - 01:19 AM

hi i been getting some bad pop ups http not found and some other things like antivirusscan things too buy and i was looken for some help here is my log :


Logfile of HijackThis v1.99.1
Scan saved at 3:04:09 AM, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tonanttc.dll",setvm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

so plz if u can help me .

    Advertisements

Register to Remove

#2 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 13 April 2007 - 03:39 AM

Hi,batataand welcome to Tom Coyote forums

I am currently looking over your log. As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Thanks for your patience!
dan

#3 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 13 April 2007 - 05:27 AM

Hi, batata

we need to put HJT into a permanent folder.
Create a folder on the desktop, right click on the desktop new folder and name it HJT. Now locate HijackThis.exe right click copy and
paste it into the folder you created on the desktop.
The reason I ask for this is, unless HJT is in its own folder it will not make backups and should things not go the way we want them to, we will be able to return to a point where we can start again.
Do this before continuing
__________

I believe we have some files hiding from us, I'm going to flush them out.

Please go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe,

Then run HijackThis again and post a new log please.

Thanks dan

#4 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 13 April 2007 - 11:09 AM

hi dan and ty for the help so far i have did what u told me too do and this is the log :

Logfile of HijackThis v1.99.1
Scan saved at 1:04:17 PM, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tonanttc.dll",setvm
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

and ty again

#5 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 13 April 2007 - 11:21 AM

Hi, you need to carry out this Instruction else I can't get to those files And HJT needs its own folder as I detailed. <==This needs to be done first at the moment you have it on the desktop here : C:\Documents and Settings\Mike\Desktop\HijackThis.exe Just create a folder on your desktop and name it HJT then copy and paste "HijackThis.exe" into it. _________ The following must be done for me to get to the files I need to get at: I believe we have some files hiding from us, I'm going to flush them out. Please go to the C:\Documents and Settings\Mike\ desktop\HijackThis.exe. Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe, Then run HijackThis again and post a new log please. Thanks dan

Edited by dan12, 13 April 2007 - 11:23 AM.

#6 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 13 April 2007 - 06:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:54:30 PM, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mike\Desktop\HJT\removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {28278667-2568-453E-9B19-70DEF582E0C6} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {42FA70E1-4537-4C80-AF6D-B6B373E4F259} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\kubmspsi.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7A180363-495D-48A7-9F14-65AB0E9F0130} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\awtuust.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tonanttc.dll",setvm
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O20 - Winlogon Notify: awtuust - C:\WINDOWS\SYSTEM32\awtuust.dll
O20 - Winlogon Notify: hgghhfc - C:\WINDOWS\SYSTEM32\hgghhfc.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#7 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 14 April 2007 - 03:11 AM

hi i did what u told me too do this is the log :


Logfile of HijackThis v1.99.1
Scan saved at 8:54:30 PM, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mike\Desktop\HJT\removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {28278667-2568-453E-9B19-70DEF582E0C6} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {42FA70E1-4537-4C80-AF6D-B6B373E4F259} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\kubmspsi.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7A180363-495D-48A7-9F14-65AB0E9F0130} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\awtuust.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tonanttc.dll",setvm
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O20 - Winlogon Notify: awtuust - C:\WINDOWS\SYSTEM32\awtuust.dll
O20 - Winlogon Notify: hgghhfc - C:\WINDOWS\SYSTEM32\hgghhfc.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

sorry about the dubble post i tryed too edit my last post and this happed so sorry agian and ty sofar it the help

Edited by batata, 14 April 2007 - 03:15 AM.

#8 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 14 April 2007 - 03:15 AM

Hi,batata, that is fine, now I can get to those files. will be back with you later with a fix. I have to work shortly so will catch you soon. dan

#9 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 14 April 2007 - 04:57 AM

Hi batata

Well done! now I can get to those files.


Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

We will need to do this in reverse to enable when fix is done


We need to reveal system folders
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options
  • After the new window appears select the View tab.
  • Place a checkmark in the checkbox labeled Display the contents of system folders
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
  • Remove the checkmark from the checkbox labeled Hide protected operating system files
  • Press the Apply and then the ok button and shut down my computer
  • Now your computer is configured to show all hidden files.
  • For you and the tools to be able to see appropriate files we need to Show Hidden Files
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post vundofix.txt
Thanks dan

#10 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 14 April 2007 - 11:32 AM

hi dan and ty for your help sofar but i didnt do the first step : Disable Spybot's TeaTimer. This is a two step process. First: - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol) - Choose Exit Spybot S&D Resident Second: - Open Spybot S&D - Click Mode, check Advanced Mode - Go To Left Panel, Click Tools, then also in left panel, click Resident - If your firewall raises a question, say OK - Uncheck the box labeled Resident Tea-Timer and OK any prompts. - Use File, Exit to terminate Spybot - Reboot your machine for the changes to take effect. We will need to do this in reverse to enable when fix is done becouse the spybot is not in the system try so i did all other steps and this is the log u asked for : VundoFix V6.3.19 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Scan started at 1:06:02 PM 14/04/2007 Listing files found while scanning.... C:\WINDOWS\system32\aihnjrpf.dll C:\WINDOWS\system32\avisnkth.dll C:\WINDOWS\system32\awtqo.dll C:\WINDOWS\system32\awtuust.dll C:\WINDOWS\system32\axafrdhw.exe C:\WINDOWS\system32\bkfxnuti.dll C:\WINDOWS\system32\cttnanot.ini C:\WINDOWS\system32\cxibdlhb.dll C:\WINDOWS\system32\dajtskbl.dll C:\WINDOWS\system32\dwtnowoh.dll C:\WINDOWS\system32\eoorognw.exe C:\WINDOWS\system32\fqoujmrs.dll C:\WINDOWS\system32\fupidxoc.dll C:\WINDOWS\system32\fuvgkqeh.dll C:\WINDOWS\system32\geilofps.dll C:\WINDOWS\system32\gprkdkgo.exe C:\WINDOWS\system32\hgghhfc.dll C:\WINDOWS\system32\howontwd.ini C:\WINDOWS\system32\hqedwiav.dll C:\WINDOWS\system32\iewwuypo.exe C:\WINDOWS\system32\jmphqjff.dll C:\WINDOWS\system32\jwmamlee.dll C:\WINDOWS\system32\kaeqfeky.dll C:\WINDOWS\system32\kubmspsi.dll C:\WINDOWS\system32\lftfrwqo.exe C:\WINDOWS\system32\llwjktrl.dll C:\WINDOWS\system32\mljihhh.dll C:\WINDOWS\system32\mlnmp.bak1 C:\WINDOWS\system32\mlnmp.bak2 C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\mlnmp.tmp C:\WINDOWS\system32\nntpmriq.dll C:\WINDOWS\system32\odltmqcc.dll C:\WINDOWS\system32\oqpfaswd.dll C:\WINDOWS\system32\oqtwa.ini C:\WINDOWS\system32\phdqfion.dll C:\WINDOWS\system32\pmnlm.dll C:\WINDOWS\system32\ppshuqpt.exe C:\WINDOWS\system32\qcqutxdg.dll C:\WINDOWS\system32\rfbtirdc.dll C:\WINDOWS\system32\rqrpppo.dll C:\WINDOWS\system32\tonanttc.dll C:\WINDOWS\system32\ujrlwxhp.dll C:\WINDOWS\system32\vobrxijr.exe C:\WINDOWS\system32\wvywnjcp.exe C:\WINDOWS\system32\xpcbrthr.exe C:\WINDOWS\system32\xteablxl.dll C:\WINDOWS\system32\xtrdfihy.exe C:\WINDOWS\system32\xvdaybfe.exe C:\WINDOWS\system32\yaeyshwg.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\aihnjrpf.dll C:\WINDOWS\system32\aihnjrpf.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\avisnkth.dll C:\WINDOWS\system32\avisnkth.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\awtqo.dll C:\WINDOWS\system32\awtqo.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\awtuust.dll C:\WINDOWS\system32\awtuust.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\axafrdhw.exe C:\WINDOWS\system32\axafrdhw.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\bkfxnuti.dll C:\WINDOWS\system32\bkfxnuti.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\cttnanot.ini C:\WINDOWS\system32\cttnanot.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\cxibdlhb.dll C:\WINDOWS\system32\cxibdlhb.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\dajtskbl.dll C:\WINDOWS\system32\dajtskbl.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\dwtnowoh.dll C:\WINDOWS\system32\dwtnowoh.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\eoorognw.exe C:\WINDOWS\system32\eoorognw.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\fqoujmrs.dll C:\WINDOWS\system32\fqoujmrs.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\fupidxoc.dll C:\WINDOWS\system32\fupidxoc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\fuvgkqeh.dll C:\WINDOWS\system32\fuvgkqeh.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\geilofps.dll C:\WINDOWS\system32\geilofps.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\gprkdkgo.exe C:\WINDOWS\system32\gprkdkgo.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\hgghhfc.dll C:\WINDOWS\system32\hgghhfc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\howontwd.ini C:\WINDOWS\system32\howontwd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\hqedwiav.dll C:\WINDOWS\system32\hqedwiav.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\iewwuypo.exe C:\WINDOWS\system32\iewwuypo.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\jmphqjff.dll C:\WINDOWS\system32\jmphqjff.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\jwmamlee.dll C:\WINDOWS\system32\jwmamlee.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\kaeqfeky.dll C:\WINDOWS\system32\kaeqfeky.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\kubmspsi.dll C:\WINDOWS\system32\kubmspsi.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\lftfrwqo.exe C:\WINDOWS\system32\lftfrwqo.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\llwjktrl.dll C:\WINDOWS\system32\llwjktrl.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\mljihhh.dll C:\WINDOWS\system32\mljihhh.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.bak1 C:\WINDOWS\system32\mlnmp.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.bak2 C:\WINDOWS\system32\mlnmp.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.ini C:\WINDOWS\system32\mlnmp.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.ini2 C:\WINDOWS\system32\mlnmp.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\mlnmp.tmp C:\WINDOWS\system32\mlnmp.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\nntpmriq.dll C:\WINDOWS\system32\nntpmriq.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\odltmqcc.dll C:\WINDOWS\system32\odltmqcc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\oqpfaswd.dll C:\WINDOWS\system32\oqpfaswd.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\oqtwa.ini C:\WINDOWS\system32\oqtwa.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\phdqfion.dll C:\WINDOWS\system32\phdqfion.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\pmnlm.dll C:\WINDOWS\system32\pmnlm.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ppshuqpt.exe C:\WINDOWS\system32\ppshuqpt.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\qcqutxdg.dll C:\WINDOWS\system32\qcqutxdg.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rfbtirdc.dll C:\WINDOWS\system32\rfbtirdc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rqrpppo.dll C:\WINDOWS\system32\rqrpppo.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\tonanttc.dll C:\WINDOWS\system32\tonanttc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ujrlwxhp.dll C:\WINDOWS\system32\ujrlwxhp.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vobrxijr.exe C:\WINDOWS\system32\vobrxijr.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\wvywnjcp.exe C:\WINDOWS\system32\wvywnjcp.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\xpcbrthr.exe C:\WINDOWS\system32\xpcbrthr.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\xteablxl.dll C:\WINDOWS\system32\xteablxl.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\xtrdfihy.exe C:\WINDOWS\system32\xtrdfihy.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\xvdaybfe.exe C:\WINDOWS\system32\xvdaybfe.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\yaeyshwg.exe C:\WINDOWS\system32\yaeyshwg.exe Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\awtuust.dll C:\WINDOWS\system32\awtuust.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.19 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Scan started at 1:18:31 PM 14/04/2007 Listing files found while scanning.... No infected files were found. Beginning removal...

    Advertisements

Register to Remove

#11 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 14 April 2007 - 12:00 PM

Hi,batata, can I also see a new HJT log also. Thanks

#12 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 14 April 2007 - 12:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:59:43 PM, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mike\Desktop\HJT\removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00ED0F42-375E-4B56-B156-65D26DDE500A} - (no file)
O2 - BHO: (no name) - {42FA70E1-4537-4C80-AF6D-B6B373E4F259} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7A180363-495D-48A7-9F14-65AB0E9F0130} - C:\WINDOWS\system32\etgfskqs.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

#13 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 14 April 2007 - 12:52 PM

Hi batata


Double-click VundoFix.exe to run it again.
Right Click inside the listbox (white box) and click add more files
Copy&Paste the entries below into the open boxes
C:\WINDOWS\system32\etgfskqs.dll

Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot,allow the computer to reboot and VundoFix to load.

Just add the very same files as before and Click Remove Vundo.

Please include new HJT log, and vundo txt
in your next post
Thanks dan

#14 batata

batata

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts

Posted 14 April 2007 - 01:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:22:52 PM, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mike\Desktop\HJT\removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00ED0F42-375E-4B56-B156-65D26DDE500A} - (no file)
O2 - BHO: (no name) - {42FA70E1-4537-4C80-AF6D-B6B373E4F259} - (no file)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7A180363-495D-48A7-9F14-65AB0E9F0130} - (no file)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175623727953
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe




VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:06:02 PM 14/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\aihnjrpf.dll
C:\WINDOWS\system32\avisnkth.dll
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtuust.dll
C:\WINDOWS\system32\axafrdhw.exe
C:\WINDOWS\system32\bkfxnuti.dll
C:\WINDOWS\system32\cttnanot.ini
C:\WINDOWS\system32\cxibdlhb.dll
C:\WINDOWS\system32\dajtskbl.dll
C:\WINDOWS\system32\dwtnowoh.dll
C:\WINDOWS\system32\eoorognw.exe
C:\WINDOWS\system32\fqoujmrs.dll
C:\WINDOWS\system32\fupidxoc.dll
C:\WINDOWS\system32\fuvgkqeh.dll
C:\WINDOWS\system32\geilofps.dll
C:\WINDOWS\system32\gprkdkgo.exe
C:\WINDOWS\system32\hgghhfc.dll
C:\WINDOWS\system32\howontwd.ini
C:\WINDOWS\system32\hqedwiav.dll
C:\WINDOWS\system32\iewwuypo.exe
C:\WINDOWS\system32\jmphqjff.dll
C:\WINDOWS\system32\jwmamlee.dll
C:\WINDOWS\system32\kaeqfeky.dll
C:\WINDOWS\system32\kubmspsi.dll
C:\WINDOWS\system32\lftfrwqo.exe
C:\WINDOWS\system32\llwjktrl.dll
C:\WINDOWS\system32\mljihhh.dll
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\nntpmriq.dll
C:\WINDOWS\system32\odltmqcc.dll
C:\WINDOWS\system32\oqpfaswd.dll
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\phdqfion.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\ppshuqpt.exe
C:\WINDOWS\system32\qcqutxdg.dll
C:\WINDOWS\system32\rfbtirdc.dll
C:\WINDOWS\system32\rqrpppo.dll
C:\WINDOWS\system32\tonanttc.dll
C:\WINDOWS\system32\ujrlwxhp.dll
C:\WINDOWS\system32\vobrxijr.exe
C:\WINDOWS\system32\wvywnjcp.exe
C:\WINDOWS\system32\xpcbrthr.exe
C:\WINDOWS\system32\xteablxl.dll
C:\WINDOWS\system32\xtrdfihy.exe
C:\WINDOWS\system32\xvdaybfe.exe
C:\WINDOWS\system32\yaeyshwg.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aihnjrpf.dll
C:\WINDOWS\system32\aihnjrpf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\avisnkth.dll
C:\WINDOWS\system32\avisnkth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtuust.dll
C:\WINDOWS\system32\awtuust.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\axafrdhw.exe
C:\WINDOWS\system32\axafrdhw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bkfxnuti.dll
C:\WINDOWS\system32\bkfxnuti.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cttnanot.ini
C:\WINDOWS\system32\cttnanot.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cxibdlhb.dll
C:\WINDOWS\system32\cxibdlhb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dajtskbl.dll
C:\WINDOWS\system32\dajtskbl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dwtnowoh.dll
C:\WINDOWS\system32\dwtnowoh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eoorognw.exe
C:\WINDOWS\system32\eoorognw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fqoujmrs.dll
C:\WINDOWS\system32\fqoujmrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fupidxoc.dll
C:\WINDOWS\system32\fupidxoc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fuvgkqeh.dll
C:\WINDOWS\system32\fuvgkqeh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geilofps.dll
C:\WINDOWS\system32\geilofps.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gprkdkgo.exe
C:\WINDOWS\system32\gprkdkgo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgghhfc.dll
C:\WINDOWS\system32\hgghhfc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\howontwd.ini
C:\WINDOWS\system32\howontwd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hqedwiav.dll
C:\WINDOWS\system32\hqedwiav.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iewwuypo.exe
C:\WINDOWS\system32\iewwuypo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmphqjff.dll
C:\WINDOWS\system32\jmphqjff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jwmamlee.dll
C:\WINDOWS\system32\jwmamlee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kaeqfeky.dll
C:\WINDOWS\system32\kaeqfeky.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kubmspsi.dll
C:\WINDOWS\system32\kubmspsi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lftfrwqo.exe
C:\WINDOWS\system32\lftfrwqo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\llwjktrl.dll
C:\WINDOWS\system32\llwjktrl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljihhh.dll
C:\WINDOWS\system32\mljihhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mlnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\mlnmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\nntpmriq.dll
C:\WINDOWS\system32\nntpmriq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\odltmqcc.dll
C:\WINDOWS\system32\odltmqcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqpfaswd.dll
C:\WINDOWS\system32\oqpfaswd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\phdqfion.dll
C:\WINDOWS\system32\phdqfion.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ppshuqpt.exe
C:\WINDOWS\system32\ppshuqpt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qcqutxdg.dll
C:\WINDOWS\system32\qcqutxdg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rfbtirdc.dll
C:\WINDOWS\system32\rfbtirdc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpppo.dll
C:\WINDOWS\system32\rqrpppo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tonanttc.dll
C:\WINDOWS\system32\tonanttc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ujrlwxhp.dll
C:\WINDOWS\system32\ujrlwxhp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vobrxijr.exe
C:\WINDOWS\system32\vobrxijr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvywnjcp.exe
C:\WINDOWS\system32\wvywnjcp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xpcbrthr.exe
C:\WINDOWS\system32\xpcbrthr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xteablxl.dll
C:\WINDOWS\system32\xteablxl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xtrdfihy.exe
C:\WINDOWS\system32\xtrdfihy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvdaybfe.exe
C:\WINDOWS\system32\xvdaybfe.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaeyshwg.exe
C:\WINDOWS\system32\yaeyshwg.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtuust.dll
C:\WINDOWS\system32\awtuust.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:18:31 PM 14/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\etgfskqs.dll
C:\WINDOWS\system32\etgfskqs.dll Has been deleted!

Performing Repairs to the registry.
Done!

#15 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 14 April 2007 - 02:27 PM

Hi batata

Looking a lot better!

Download ATF Cleaner by Atribune and save it to your Desktop.
Do not use yet!

Ewido is now known as ( AVG Anti-Spyware.)

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Dont use yet!

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

  • R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {00ED0F42-375E-4B56-B156-65D26DDE500A} - (no file)
    O2 - BHO: (no name) - {42FA70E1-4537-4C80-AF6D-B6B373E4F259} - (no file)
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
    O2 - BHO: (no name) - {7A180363-495D-48A7-9F14-65AB0E9F0130} - (no file)
    O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)

    WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

    Re-boot into safe mode

    • Next, please reboot your computer in Safe Mode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
    • Select the first option, to run Windows in Safe Mode hit enter.
    • For additional help in booting into Safe Mode, see the following site: HERE
    Run ATF cleaner
    • Double click ATF-Cleaner.exe to run the program.
    • Check the following boxes:
      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Recycle Bin
      • Java Cache
    • The rest are optional - if you want to remove the lot, check Select All.
    • Now click Empty Selected.
    • When you get the Done Cleaning message, click OK.
    • If you use Firefox browser.
      • Click Firefox at the top and choose: Select All
      • If you would like to keep your saved passwords, please click No at the prompt.
      • Click the Empty Selected button.
    • If you use Opera browser.
      • Click Opera at the top and choose: Select All
      • If you would like to keep your saved passwords, please click No at the prompt.
      • Click the Empty Selected button.

    Run AVG Anti-Spyware

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        [list]
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)

      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
_________________________

please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include new HJT log, AVG Anti-Spyware log and kaspersky log
in your next post
Thanks dan

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·