Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] HijackThis Log


  • This topic is locked This topic is locked
6 replies to this topic

#1 JimU

JimU

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 05 May 2008 - 01:03 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:36 AM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\SYSTEM32\tcntrkdm.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim Underdown\Local Settings\Temporary Internet Files\Content.IE5\CTERWPYB\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {319D17F7-F15C-4C82-B2AB-FD836253BFAD} - C:\WINDOWS\system32\awtrRifd.dll
O2 - BHO: {49f2f03e-7bb2-3f79-1ad4-a27172f18b34} - {43b81f27-172a-4da1-97f3-2bb7e30f2f94} - C:\WINDOWS\system32\wtkqidpf.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\khfGabBu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{15-5E-E9-9B-DW}] "C:\windows\system32\rwwnw64d.exe" DWram
O4 - HKLM\..\Run: [spa_start] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\{56f0d1c2-258c-f9be-808e-2763f138e375}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\tcntrkdm.exe DWram
O4 - HKLM\..\Run: [74015e34] "rundll32.exe" "C:\WINDOWS\system32\kdcpsipe.dll",b
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [BM77326da8] Rundll32.exe "C:\WINDOWS\system32\epgmlthg.dll",s
O4 - HKCU\..\Run: [b9] C:\Program Files\Firetrust\Benign\B9.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\tcntrkdm.exe
O4 - Startup: findfast.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,21/mcgdmgr.cab
O20 - Winlogon Notify: khfGabBu - khfGabBu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8481 bytes

    Advertisements

Register to Remove


#2 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 05 May 2008 - 01:38 PM

Hi JimU

Welcome to the What the tech Forums
My name is mschroe919 and I am going to read your log.
I would like to help you So if you would....
Please be patient and I will be back as soon as possible.

Please while I am gone do these step:

Show hidden files, Here is how:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

NEXT:

Please download ATF Cleaner by Atribune.

Download it

HERE


This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NEXT:

Please download Malwarebytes' Anti-Malware to your desktop:

HERE

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
post a new scanner{HJT] log and the Malwarebytes' Anti-Malware log

Be sure not to delete anything intill said ok to. also don't run any other cleanup programs till we
get done it may goof ours up.
Also if you have any questions feel fre to ask first.

NOTICE:
Before you post a HJT log, you are running from a TEMP folder. When we use HJT to fix anything it makes a back up in case something goes wrong. In the Temp folder you can't get to the back up.
Move HJT here: C:\HJT\HijackThis.exe. If you need more instructions use these:
Uninstall hjt and reinstall putting it on c: drive.



Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT.

When you post another rhjt log and the Malwarebytes' Anti-Malware log , let me know how your PC is behavuing

I will be waiting to see new logs
mschroe919

Edited by mschroe919, 05 May 2008 - 05:04 PM.

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#3 JimU

JimU

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 05 May 2008 - 06:47 PM

Here is the log after running Malwarebytes' Anti-Malware... It seems to have worked! Should I recheck the Hide Protected operating system files on My Computer? Thanks so much for the help. I am in your debt. Jim Malwarebytes' Anti-Malware 1.11 Database version: 721 Scan type: Full Scan (C:\|) Objects scanned: 117828 Time elapsed: 1 hour(s), 2 minute(s), 26 second(s) Memory Processes Infected: 1 Memory Modules Infected: 2 Registry Keys Infected: 30 Registry Values Infected: 5 Registry Data Items Infected: 3 Folders Infected: 6 Files Infected: 41 Memory Processes Infected: C:\WINDOWS\shell.exe (Trojan.FakeAlert) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\SYSTEM32\awtrRifd.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\SYSTEM32\kdcpsipe.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4cdda9a2-ef38-4a5d-ba43-c9914419c0bd} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4cdda9a2-ef38-4a5d-ba43-c9914419c0bd} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysidesearchsearchassistant (Adware.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Adware.Rotator) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mscompare (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1d8964ed-fbbe-e791-06a7-2da0ecc7f312} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{dbe4e8bb-b9b9-418e-9b69-257f21bcd11b} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM77326da8 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spoolsv (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrrifd -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrrifd -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.FakeAlert) -> Data: c:\windows\shell.exe -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\SYSTEM32\vb1 (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\pnVes01 (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\kn3 (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\swTMP (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\syscmd (Trojan.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\SYSTEM32\awtrRifd.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\SYSTEM32\dfiRrtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\dfiRrtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\kdcpsipe.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\SYSTEM32\epispcdk.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP879\A0073356.exe (Adware.Purityscan) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP879\A0073376.exe (Adware.BHO) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP879\A0073394.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP879\A0073396.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP880\A0073423.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP881\A0073447.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP881\A0073496.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Temp\wUnlig8010.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\dyddiffm.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\jjbhsmij.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\{56f0d1c2-258c-f9be-808e-2763f138e375}.dll-uninst.exe (Adware.Rotator) -> Quarantined and deleted successfully. C:\Program Files\syscmd\mscmp.inf (Trojan.BHO) -> Quarantined and deleted successfully. C:\Program Files\syscmd\mscmp32.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\Program Files\syscmd\uninstall.bat (Trojan.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\{56f0d1c2-258c-f9be-808e-2763f138e375}.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\rundll32.exe (Adware.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\epgmlthg.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\tcntrkdm.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\INF\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\spoolvs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\txdbnbai.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\shell.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Application Data\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Application Data\sysdefender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Jim Underdown\Start Menu\Programs\Startup\findfast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 05 May 2008 - 07:24 PM

Hi jimu

Thanks so much for the help. I am in your debt.


your welcome but this is what we do here. Your saying thanks is what makes us happy.

I wouldn't hide the files yet we will when done. I liked the Malwarebytes' Anti-Malware log. But I need a new HJT log as well. .please post one and I will get back for the finish.
mschroe919

Did you see this is what needs to be done too:

NOTICE:
Before you post a HJT log, you are running from a TEMP folder. When we use HJT to fix anything it makes a back up in case something goes wrong. In the Temp folder you can't get to the back up.
Move HJT here: C:\HJT\HijackThis.exe. If you need more instructions use these:
Uninstall hjt and reinstall putting it on c: drive.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT.


Edited by mschroe919, 05 May 2008 - 07:30 PM.

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#5 JimU

JimU

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 06 May 2008 - 02:41 PM

Here's the more recent HijackThis log.

Doctor?

Also, when I started the computor, I got a message that said:
Application DLL c:\Windows\system 32\kdcpsipe.DLL is not a valid windows image.

Any idea what -- if anything -- to do about that?

Thanks for any help.

Jim


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:32 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Webroot\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {49f2f03e-7bb2-3f79-1ad4-a27172f18b34} - {43b81f27-172a-4da1-97f3-2bb7e30f2f94} - C:\WINDOWS\system32\wtkqidpf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{15-5E-E9-9B-DW}] "C:\windows\system32\rwwnw64d.exe" DWram
O4 - HKLM\..\Run: [74015e34] "rundll32.exe" "C:\WINDOWS\system32\kdcpsipe.dll",b
O4 - HKCU\..\Run: [b9] C:\Program Files\Firetrust\Benign\B9.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,21/mcgdmgr.cab
O20 - Winlogon Notify: khfGabBu - khfGabBu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7374 bytes

#6 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 09 May 2008 - 02:14 PM

Hi JimU
Sorry about getting back to you so klate, got tied up.


FIRST:

Is this a work pc and or you the administer?

Please note that many Administrators at offices lock this down on purpose
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
*If you didn't lock this or your work didn't lock fix 07 below
NEXT:
Make sure Internet Explorer isn't open

Run hijackthis again. Hit None of the above,
Click Do a System Scan Only.
Put a Check in the box on the left side on these: (Not to worry if not there)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: {49f2f03e-7bb2-3f79-1ad4-a27172f18b34} - {43b81f27-172a-4da1-97f3-2bb7e30f2f94} - C:\WINDOWS\system32\wtkqidpf.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [74015e34] "rundll32.exe" "C:\WINDOWS\system32\kdcpsipe.dll",b

fix this too after answereing the above.
*O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: khfGabBu - khfGabBu.dll (file missing)

Close ALL windows and browsers except HijackThis and click []b]Fix checked[/b]
Then reboot

NEXT:
After reboot

Use windows explorer to find and delete these files in RED if still there:

C:\WINDOWS\system32\kdcpsipe.dll
let me know if file was deleted ok or not


reboot and post a new hjt log
good luck mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#7 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 20 May 2008 - 01:04 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users