WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack Log Help

Started by shelbykat , May 24 2007 07:09 PM

This topic is locked

14 replies to this topic

#1 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 24 May 2007 - 07:09 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:07:06 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\stuff\noname.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3789B40D-F631-4B97-A70F-D44584431D5F} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\ddcccax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.bigfishga...s/r64loader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetow...zylomplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddcccax - C:\WINDOWS\SYSTEM32\ddcccax.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2007 - 07:47 AM

* Download VirtumundoBegone, place it on your desktop.

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {3789B40D-F631-4B97-A70F-D44584431D5F} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\ddcccax.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddcccax - C:\WINDOWS\SYSTEM32\ddcccax.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete these files if listed:
C:\ALCXMNTR.EXE

Empty Recycle Bin

Reboot

Post the contents of the log VBG.TXT which present on your desktop together with a new HijackThis log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 08:47 AM

Here's the new logs. When I tried to repair one of the objects I received an error message and my computer rebooted so not sure which one it was or what it said. I also couldnt ever find the alcxmtr.exe file.

Logfile of HijackThis v1.99.1
Scan saved at 10:43:15 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\stuff\noname.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A631E3A7-9AD6-4576-853D-3D653B3F0884} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.bigfishga...s/r64loader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetow...zylomplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[05/27/2007, 10:04:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Owner\Desktop\VirtumundoBeGone.exe" )
[05/27/2007, 10:04:16] - Detected System Information:
[05/27/2007, 10:04:16] - Windows Version: 5.1.2600, Service Pack 2
[05/27/2007, 10:04:16] - Current Username: HP_Owner (Admin)
[05/27/2007, 10:04:16] - Windows is in NORMAL mode.
[05/27/2007, 10:04:16] - Searching for Browser Helper Objects:
[05/27/2007, 10:04:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:04:16] - BHO 2: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} ()
[05/27/2007, 10:04:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:16] - Checking for HKLM\...\Winlogon\Notify\ddcccax
[05/27/2007, 10:04:17] - Found: HKLM\...\Winlogon\Notify\ddcccax - This is probably Virtumundo.
[05/27/2007, 10:04:17] - Assigning {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} MSEvents Object
[05/27/2007, 10:04:17] - BHO list has been changed! Starting over...
[05/27/2007, 10:04:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:04:17] - BHO 2: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} (MSEvents Object)
[05/27/2007, 10:04:17] - ALERT: Found MSEvents Object!
[05/27/2007, 10:04:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/27/2007, 10:04:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/27/2007, 10:04:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/27/2007, 10:04:17] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2007, 10:04:17] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2007, 10:04:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:17] - No filename found. Continuing.
[05/27/2007, 10:04:17] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/27/2007, 10:04:17] - BHO 7: {DA04A9E3-6784-486A-AAAB-E390F6FA389E} ()
[05/27/2007, 10:04:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:18] - Checking for HKLM\...\Winlogon\Notify\ddcca
[05/27/2007, 10:04:18] - Found: HKLM\...\Winlogon\Notify\ddcca - This is probably Virtumundo.
[05/27/2007, 10:04:18] - Assigning {DA04A9E3-6784-486A-AAAB-E390F6FA389E} MSEvents Object
[05/27/2007, 10:04:18] - BHO list has been changed! Starting over...
[05/27/2007, 10:04:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:04:18] - BHO 2: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} (MSEvents Object)
[05/27/2007, 10:04:18] - ALERT: Found MSEvents Object!
[05/27/2007, 10:04:18] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/27/2007, 10:04:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:18] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/27/2007, 10:04:18] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/27/2007, 10:04:18] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2007, 10:04:18] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2007, 10:04:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:18] - No filename found. Continuing.
[05/27/2007, 10:04:18] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/27/2007, 10:04:18] - BHO 7: {DA04A9E3-6784-486A-AAAB-E390F6FA389E} (MSEvents Object)
[05/27/2007, 10:04:18] - ALERT: Found MSEvents Object!
[05/27/2007, 10:04:18] - BHO 8: {DC8910FA-9E06-4AFB-B5DE-9C1FC1BE81FB} ()
[05/27/2007, 10:04:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:04:18] - Checking for HKLM\...\Winlogon\Notify\jkhfd
[05/27/2007, 10:04:18] - Key not found: HKLM\...\Winlogon\Notify\jkhfd, continuing.
[05/27/2007, 10:04:18] - Finished Searching Browser Helper Objects
[05/27/2007, 10:04:19] - *** Detected MSEvents Object
[05/27/2007, 10:04:19] - Trying to remove MSEvents Object...
[05/27/2007, 10:04:20] - Terminating Process: IEXPLORE.EXE
[05/27/2007, 10:04:53] - Terminating Process: RUNDLL32.EXE
[05/27/2007, 10:05:05] - Disabling Automatic Shell Restart
[05/27/2007, 10:05:05] - Terminating Process: EXPLORER.EXE
[05/27/2007, 10:05:12] - Suspending the NT Session Manager System Service
[05/27/2007, 10:05:13] - Terminating Windows NT Logon/Logoff Manager
[05/27/2007, 10:05:20] - Re-enabling Automatic Shell Restart
[05/27/2007, 10:05:20] - File to disable: C:\WINDOWS\system32\ddcccax.dll
[05/27/2007, 10:05:21] - Renaming C:\WINDOWS\system32\ddcccax.dll -> C:\WINDOWS\system32\ddcccax.dll.vir
[05/27/2007, 10:05:24] - File successfully renamed!
[05/27/2007, 10:05:24] - Removing HKLM\...\Browser Helper Objects\{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/27/2007, 10:05:25] - Removing HKCR\CLSID\{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/27/2007, 10:05:30] - Adding Kill Bit for ActiveX for GUID: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/27/2007, 10:05:31] - Deleting ATLEvents/MSEvents Registry entries
[05/27/2007, 10:05:31] - Removing HKLM\...\Winlogon\Notify\ddcccax
[05/27/2007, 10:05:32] - Searching for Browser Helper Objects:
[05/27/2007, 10:05:32] - Finished Searching Browser Helper Objects
[05/27/2007, 10:05:32] - Finishing up...
[05/27/2007, 10:05:32] - A restart is needed.
[05/27/2007, 10:05:32] - Automatic Reboot on STOP Error is not set. User will have to manually restart.

[05/27/2007, 10:13:09] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Owner\Desktop\VirtumundoBeGone.exe" )
[05/27/2007, 10:13:15] - Detected System Information:
[05/27/2007, 10:13:15] - Windows Version: 5.1.2600, Service Pack 2
[05/27/2007, 10:13:15] - Current Username: HP_Owner (Admin)
[05/27/2007, 10:13:15] - Windows is in NORMAL mode.
[05/27/2007, 10:13:15] - Searching for Browser Helper Objects:
[05/27/2007, 10:13:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:13:16] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/27/2007, 10:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:16] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/27/2007, 10:13:16] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/27/2007, 10:13:16] - BHO 3: {71C6F15D-301A-42DA-BCD0-238C5479337B} ()
[05/27/2007, 10:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:16] - Checking for HKLM\...\Winlogon\Notify\ddcca
[05/27/2007, 10:13:16] - Found: HKLM\...\Winlogon\Notify\ddcca - This is probably Virtumundo.
[05/27/2007, 10:13:16] - Assigning {71C6F15D-301A-42DA-BCD0-238C5479337B} MSEvents Object
[05/27/2007, 10:13:16] - BHO list has been changed! Starting over...
[05/27/2007, 10:13:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:13:16] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/27/2007, 10:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:16] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/27/2007, 10:13:16] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/27/2007, 10:13:16] - BHO 3: {71C6F15D-301A-42DA-BCD0-238C5479337B} (MSEvents Object)
[05/27/2007, 10:13:16] - ALERT: Found MSEvents Object!
[05/27/2007, 10:13:16] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2007, 10:13:16] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2007, 10:13:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:17] - No filename found. Continuing.
[05/27/2007, 10:13:17] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/27/2007, 10:13:17] - BHO 7: {DC8910FA-9E06-4AFB-B5DE-9C1FC1BE81FB} ()
[05/27/2007, 10:13:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:17] - Checking for HKLM\...\Winlogon\Notify\jkhfd
[05/27/2007, 10:13:17] - Key not found: HKLM\...\Winlogon\Notify\jkhfd, continuing.
[05/27/2007, 10:13:17] - Finished Searching Browser Helper Objects
[05/27/2007, 10:13:17] - *** Detected MSEvents Object
[05/27/2007, 10:13:17] - Trying to remove MSEvents Object...
[05/27/2007, 10:13:18] - Terminating Process: IEXPLORE.EXE
[05/27/2007, 10:13:20] - Terminating Process: RUNDLL32.EXE
[05/27/2007, 10:13:20] - Disabling Automatic Shell Restart
[05/27/2007, 10:13:20] - Terminating Process: EXPLORER.EXE
[05/27/2007, 10:13:24] - Suspending the NT Session Manager System Service
[05/27/2007, 10:13:32] - Terminating Windows NT Logon/Logoff Manager
[05/27/2007, 10:13:37] - Re-enabling Automatic Shell Restart
[05/27/2007, 10:13:37] - File to disable: C:\WINDOWS\system32\ddcca.dll
[05/27/2007, 10:13:38] - Renaming C:\WINDOWS\system32\ddcca.dll -> C:\WINDOWS\system32\ddcca.dll.vir
[05/27/2007, 10:13:40] - File successfully renamed!
[05/27/2007, 10:13:40] - Removing HKLM\...\Browser Helper Objects\{71C6F15D-301A-42DA-BCD0-238C5479337B}
[05/27/2007, 10:13:40] - Removing HKCR\CLSID\{71C6F15D-301A-42DA-BCD0-238C5479337B}
[05/27/2007, 10:13:40] - Adding Kill Bit for ActiveX for GUID: {71C6F15D-301A-42DA-BCD0-238C5479337B}
[05/27/2007, 10:13:41] - Deleting ATLEvents/MSEvents Registry entries
[05/27/2007, 10:13:41] - Removing HKLM\...\Winlogon\Notify\ddcca
[05/27/2007, 10:13:41] - Searching for Browser Helper Objects:
[05/27/2007, 10:13:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2007, 10:13:41] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/27/2007, 10:13:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:41] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/27/2007, 10:13:41] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/27/2007, 10:13:41] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/27/2007, 10:13:41] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2007, 10:13:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:41] - No filename found. Continuing.
[05/27/2007, 10:13:41] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/27/2007, 10:13:41] - BHO 6: {DC8910FA-9E06-4AFB-B5DE-9C1FC1BE81FB} ()
[05/27/2007, 10:13:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 10:13:41] - Checking for HKLM\...\Winlogon\Notify\jkhfd
[05/27/2007, 10:13:41] - Key not found: HKLM\...\Winlogon\Notify\jkhfd, continuing.
[05/27/2007, 10:13:41] - Finished Searching Browser Helper Objects
[05/27/2007, 10:13:41] - Finishing up...
[05/27/2007, 10:13:41] - A restart is needed.
[05/27/2007, 10:13:59] - Attempting to Restart via STOP error (Blue Screen!)

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 May 2007 - 12:25 PM

Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\jkhfd.dll

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, proceed to Scan.
and put a check by these.

O2 - BHO: (no name) - {A631E3A7-9AD6-4576-853D-3D653B3F0884} - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete these files if listed
C:\WINDOWS\system32\jkhfd. <--all like this
C:\WINDOWS\system32\dfhkj. <--all like this

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 03:07 PM

Thank you for helping me, I'm getting popup ads almost all are something different. I have't had my security settings reset the past few times Ive openend IE but my antivirus has popped up at least 3 times in the past couple of hrs that a trojan was found. Here's my new log. I still see one of the Winlog on notifies in it afer I deleted and did the reboot.

Logfile of HijackThis v1.99.1
Scan saved at 5:03:48 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\stuff\noname.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D25423C-E095-4771-8B81-9457030B0B07} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.bigfishga...s/r64loader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetow...zylomplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 May 2007 - 03:10 PM

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 04:09 PM

I never did see a log file but after running the program and my computer rebooted, my time on computer is in military time now and IE was reset now I have icons for a run IMVU research and discuss on my homepage icons.

Logfile of HijackThis v1.99.1
Scan saved at 06:11, on 2007-05-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\stuff\noname.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: (no name) - {019CC946-2D00-45DB-904A-51000460A403} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.bigfishga...s/r64loader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetow...zylomplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 04:40 PM

I shut down my zone alarm and redid the scan, it produced a log file this time.

"HP_Owner" - 2007-05-27 18:26:11 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\HP_Owner\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

2007-05-27 10:47 52,736 --a------ C:\WINDOWS\yw.exe
2007-05-27 02:14 263,220 --ahs---- C:\WINDOWS\system32\ddcca.dll.vir
2007-05-26 20:08 52,736 --a------ C:\WINDOWS\oxsgv.exe
2007-05-26 10:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-24 21:04 <DIR> d-------- C:\!KillBox
2007-05-24 20:11 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-24 19:11 <DIR> d-------- C:\Program Files\PCPitstop
2007-05-22 12:00 29,206 --a------ C:\WINDOWS\system32\ddcccax.dll.vir

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 09:02:34 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-27 00:15:32 -------- d-----w C:\Program Files\SymNetDrv
2007-05-20 05:38:27 -------- d-----w C:\Program Files\Full Tilt Poker
2007-05-19 18:39:23 -------- d-----w C:\Program Files\Fish Tycoon
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-18 22:52:14 -------- d-----w C:\Program Files\TuxPaint
2007-04-01 04:44:31 -------- d-----w C:\Program Files\MSN Messenger
2007-03-30 05:47:26 -------- d-----w C:\Program Files\ICQLite
2007-03-30 05:44:45 -------- d--h--w C:\Program Files\InstallShield Installation Information

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{019CC946-2D00-45DB-904A-51000460A403}=C:\WINDOWS\system32\jkhfd.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll [2006-05-03 03:14]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 00:38]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cydoor]
CD_Load.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Guard]
C:\Program Files\AceLogix\StartupGuard\sg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070527-170739-475
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhfd]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhfd.dll"
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"

backup-20070527-165132-366
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhfd]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhfd.dll"
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"

backup-20070527-165030-225
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhfd]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhfd.dll"
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"

backup-20070527-165030-994
O2 - BHO: (no name) - {A631E3A7-9AD6-4576-853D-3D653B3F0884} - C:\WINDOWS\system32\jkhfd.dll

backup-20070527-102912-359
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhfd]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhfd.dll"
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"

backup-20070527-102912-867
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

backup-20070527-102912-700
O20 - Winlogon Notify: ddcccax - ddcccax.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcccax]
"Asynchronous"=dword:00000001
"DllName"="ddcccax.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

backup-20070527-102832-448
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070527-102820-112
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070527-102820-297
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20070527-102820-778
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

backup-20070527-102820-998
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20070523-062602-403
O15 - Trusted Zone: *.winfixer.com (HKLM)

backup-20070523-062602-926
O15 - Trusted Zone: *.winantivirus.com (HKLM)

backup-20070523-062602-548
O15 - Trusted Zone: *.winantispyware.com (HKLM)

backup-20070523-062602-971
O15 - Trusted Zone: *.systemdoctor.com (HKLM)

backup-20070523-062602-449
O15 - Trusted Zone: *.imagesrvr.com (HKLM)

backup-20070523-062602-392
O15 - Trusted Zone: *.errorprotector.com (HKLM)

backup-20070523-062602-747
O15 - Trusted Zone: *.errorsafe.com (HKLM)

backup-20070523-062602-826
O15 - Trusted Zone: *.imageservr.com (HKLM)

backup-20070523-062602-414
O15 - Trusted Zone: *.drivecleaner.com (HKLM)

backup-20070523-062602-139
O15 - Trusted Zone: *.amaena.com (HKLM)

backup-20070523-062602-772
O15 - Trusted Zone: *.winfixer.com

backup-20070523-062602-343
O15 - Trusted Zone: *.winantivirus.com

backup-20070523-062602-819
O15 - Trusted Zone: *.winantispyware.com

backup-20070523-062602-719
O15 - Trusted Zone: *.systemdoctor.com

backup-20070523-062602-726
O15 - Trusted Zone: *.imagesrvr.com

backup-20070523-062602-858
O15 - Trusted Zone: *.imageservr.com

backup-20070523-062602-840
O15 - Trusted Zone: *.errorsafe.com

backup-20070523-062602-893
O15 - Trusted Zone: *.errorprotector.com

backup-20070523-062602-865
O15 - Trusted Zone: *.amaena.com

backup-20070523-062602-278
O15 - Trusted Zone: *.drivecleaner.com

backup-20060703-223034-495
O20 - Winlogon Notify: winips32 - winips32.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winips32]
"Asynchronous"=dword:00000001
"DllName"="winips32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

backup-20060703-223034-702
O2 - BHO: (no name) - {11580454-7934-4C5E-9BF7-FA4C332F8178} - C:\WINDOWS\system32\mljgh.dll (file missing)

backup-20060703-210538-622
O20 - Winlogon Notify: winips32 - C:\WINDOWS\SYSTEM32\winips32.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winips32]
"Asynchronous"=dword:00000001
"DllName"="winips32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"

backup-20060703-190319-979
R3 - Default URLSearchHook is missing

backup-20060703-190319-165
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

backup-20060703-190319-832
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

backup-20060703-190319-824
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

backup-20060703-190319-865
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

backup-20060414-135454-832
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

???????????????????????????????????????????4??????????????????????????????????4???=?????????????????????????????????????????????????????????????????????????????????????????????????????????????4???????????????????????????????????????????????????????????????????????????????????????

backup-20060414-135454-135
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

???????????????????????????????????????????4??????????????????????????????????4???=?????????????????????????????????????????????????????????????????????????????????????????????????????????????4???????????????????????????????????????????????????????????????????????????????????????

backup-20060414-135453-414
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060414-135453-156
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060414-135453-905
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20060414-135453-323
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20060414-135453-481
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

backup-20060414-135453-314
O2 - BHO: (no name) - {3496D13A-609A-407B-B181-8F47B4F28AE9} - (no file)

backup-20060414-072334-616
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbell...elper/Nyoko.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??????4???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060331-201127-682
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - (no file)
Contents of the 'Scheduled Tasks' folder
2007-05-27 21:58:54 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 18:31:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-27 18:32:42
C:\ComboFix-quarantined-files.txt ... 2007-05-27 18:32

--- E O F ---

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 May 2007 - 05:27 PM

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{019CC946-2D00-45DB-904A-51000460A403}]

[-HKEY_CLASSES_ROOT\CLSID\{019CC946-2D00-45DB-904A-51000460A403}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Next:

Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
http://swandog46.gee...com/avenger.zip

Note: The Avenger must be run from a user account with administrator privileges,

and ONLY works on Windows 2000 and XP, and only on 32-bit versions!
If yours is a 64 bit version, do not use it, let me know.

Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.

Click Format, and ensure Word Wrap is unchecked.

Copy and Paste all the text inside the box below into Notepad.

Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\yw.exe
C:\WINDOWS\system32\ddcca.dll.vir
C:\WINDOWS\oxsgv.exe
C:\WINDOWS\system32\ddcccax.dll.vir

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:

Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.

Double click it to enter it into Avenger.

Click the green traffic light symbol.

You will be asked if you want to execute the script, answer Yes.

At this point you may get prompts from your protection systems, allow them please.

Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.

Answer Yes, and allow your computer to re-boot.

Upon re-boot a command window will briefly appear on screen (this is normal).

A Notepad text file will be created C:\avenger.txt.

Copy and Paste it into your next post please, along with a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 08:08 PM

How do I check if its 34 bit?

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 May 2007 - 08:10 PM

You would know if you bought a gamer PC. You don't have a 64 bit. Even if you did and try to run avenger with a 64bit it would just tell you it can't run it.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 08:29 PM

I have 2 logs files from avenger on my desktop when I rebooted i got a message saying system had recovered from a fatal error and saved a log file but it wasnt on the desktop.

Logfile of HijackThis v1.99.1
Scan saved at 10:26:32 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Owner\Desktop\stuff\noname.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: (no name) - {019CC946-2D00-45DB-904A-51000460A403} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.bigfishga...s/r64loader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetow...zylomplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{2E55D407-5A38-43DE-AF90-CB385FE11D29}: NameServer = 208.135.166.1,208.157.8.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olcwacsu

*******************

Script file located at: \??\C:\Documents and Settings\vygqyjru.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\yw.exe deleted successfully.
File C:\WINDOWS\system32\ddcca.dll.vir deleted successfully.
File C:\WINDOWS\oxsgv.exe deleted successfully.
File C:\WINDOWS\system32\ddcccax.dll.vir deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olcwacsu

*******************

Script file located at: \??\C:\Documents and Settings\vygqyjru.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not register cleanup batch.
Error code: 5

Fatal error: could not create Services key.
Error code: 1813
Error logged to errorlog.txt. Aborting now!

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 May 2007 - 08:32 PM

You can remove any programs / Tools I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.

Log looks good

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.

Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.

Only run one Anti-Virus and Firewall program.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware

Safe Surfing.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 shelbykat

Authentic Member

Authentic Member
35 posts

Posted 27 May 2007 - 08:56 PM

OK got all of that taken care of, thank you so much for all of your help

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 28 May 2007 - 03:45 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme