AVG shows the DropperAgent.lj, TrojanHorse Clicker.qb, trojanhorse generic.bey
Ewido brings up:
vxgame2.exe in my system32 directory with trojanproxy.lager.x
latest.exe with trojan.crypt.i
vxgamet2.exe with trojan.spabot.r
The main problem is I keep getting the message that windows explorer has experienced a problem and keeps shutting down; followed by a rundll box that says error loading c:/windows/system32/chp.dll Access is denied.
This is crazy!!!!
Here is my hijack log, followed by my ewido scan log.
Thanks for your help
Logfile of HijackThis v1.99.1
Scan saved at 1:19:32 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\B.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\A.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\D.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\C.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\12.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\13.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\18.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\17.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\1C.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\1D.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\22.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\21.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\26.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\27.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\2B.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\2C.scr
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxgame2.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\35.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\36.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\3C.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\3B.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\41.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\40.scr
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\45.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\46.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\4A.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\4B.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\50.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\4F.scr
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\54.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\55.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\59.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\5A.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\5F.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\5E.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\64.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\63.scr
C:\WINDOWS\System32\kernels32.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\69.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\68.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\dwwin.exe
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\6D.scr
C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\6E.scr
C:\Documents and Settings\Mark.MARKANDKARLA\My Documents\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: - {009a787f-9a26-493d-bf15-ecf8257a30d6} - C:\WINDOWS\system32\rchbqv.dll (disabled by BHODemon)
O2 - BHO: - {03214798-d16c-45e5-bb9e-508ab1a1fd50} - C:\WINDOWS\system32\t.dll (disabled by BHODemon)
O2 - BHO: - {04abe39e-76b1-4db7-bdbc-35548e7a2c59} - C:\WINDOWS\system32\jgstp.dll (disabled by BHODemon)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: - {09edae6c-cdf6-491c-94ae-eee18c979154} - C:\WINDOWS\System32\jgmjgjgd.dll
O2 - BHO: - {1d2635c5-8ea1-4250-b3d9-9ab4c30d3406} - C:\WINDOWS\system32\pkyrrpwh.dll (disabled by BHODemon)
O2 - BHO: - {1f29e958-575e-42fd-a417-3ee1c0f190d3} - C:\WINDOWS\system32\vn.dll (disabled by BHODemon)
O2 - BHO: - {201ca607-a1ad-454b-8d1d-074df1606d9f} - C:\WINDOWS\System32\dfunclel.dll
O2 - BHO: - {20306a80-36a7-4f72-adcc-c63762700acc} - C:\WINDOWS\system32\viutrxv.dll (disabled by BHODemon)
O2 - BHO: - {319eb40c-93d3-4b38-a70f-684018dbc025} - C:\WINDOWS\system32\rcz.dll (disabled by BHODemon)
O2 - BHO: - {3bd9379d-8403-42fb-afc4-d3f2810e1bf3} - C:\WINDOWS\system32\phzl.dll (disabled by BHODemon)
O2 - BHO: - {3bd9bead-9ea3-4b34-9b50-a2a7a1e4c303} - C:\WINDOWS\System32\phxbmnr.dll
O2 - BHO: - {47236ac3-8e35-4939-ac76-6e52d6f9593f} - C:\WINDOWS\System32\phzxdhk.dll
O2 - BHO: - {479fb68e-fcb9-42ec-baa9-0c5edee11ff4} - C:\WINDOWS\System32\phxphno.dll
O2 - BHO: - {49690011-d351-4ae2-a1e1-f9f0aa394b87} - C:\WINDOWS\system32\phxpjnol.dll (disabled by BHODemon)
O2 - BHO: - {51f2182d-1692-4e6e-8e0e-41367b1056f4} - C:\WINDOWS\system32\pkyny.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: - {5b61a819-4393-417b-96ca-b3c00c3f5630} - C:\WINDOWS\system32\h.dll (disabled by BHODemon)
O2 - BHO: - {5ba86d97-d5e2-46ff-9cb3-b9ac69a28f1a} - C:\WINDOWS\System32\jgmjox.dll
O2 - BHO: - {68fd94c2-913c-4df3-8659-51f294fd965d} - C:\WINDOWS\system32\duz.dll (disabled by BHODemon)
O2 - BHO: - {6a7fc27d-8682-4b3e-9d47-e3ea2e148aee} - C:\WINDOWS\system32\visdutz.dll (disabled by BHODemon)
O2 - BHO: - {7389df13-93a2-4bda-80e9-e151e6f94aa1} - C:\WINDOWS\System32\pj.dll
O2 - BHO: - {7d85444e-ab6d-4c7c-b179-d5d5e10bc511} - C:\WINDOWS\system32\r.dll (disabled by BHODemon)
O2 - BHO: - {7efb9de2-65b2-40de-b211-332c088fe552} - C:\WINDOWS\system32\p.dll (disabled by BHODemon)
O2 - BHO: - {82940738-75f4-40b6-ac72-46a8b4fc1e39} - C:\WINDOWS\system32\jgmjgjgd.dll (disabled by BHODemon)
O2 - BHO: - {82cf7cf6-9f18-4b70-adcc-395907204eef} - C:\WINDOWS\System32\z.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: - {92e1b94f-e340-4547-8e7f-260aaf3eb8a1} - C:\WINDOWS\System32\phxprpel.dll
O2 - BHO: - {a0c26edb-4300-411a-9f87-e7d6404796e0} - C:\WINDOWS\System32\visr.dll
O2 - BHO: - {a64d4ef9-3ad2-4831-94d2-363662bbc6a2} - C:\WINDOWS\System32\bzgb.dll
O2 - BHO: - {a78fbea6-0a0a-4c6b-a9e6-47326e3e704e} - C:\WINDOWS\System32\phjzxx.dll
O2 - BHO: - {a7c599ae-9a9f-4d52-bfb7-321f61953e4c} - C:\WINDOWS\System32\phjlth.dll
O2 - BHO: - {b3327ba5-8c36-4a88-8074-98e4f1a2b458} - C:\WINDOWS\System32\dfbdfdfh.dll
O2 - BHO: - {be22710a-3517-4968-8327-49310b1aa03b} - C:\WINDOWS\System32\phxla.dll
O2 - BHO: - {c602dd90-e1c8-46ea-b3c5-7bbbcbe56443} - C:\WINDOWS\System32\jgmhx.dll
O2 - BHO: - {d079c90c-7390-499d-b62e-2b3f4033330e} - C:\WINDOWS\System32\jgrvubz.dll
O2 - BHO: - {d7a26809-e890-4c67-bf0c-740bcd30249f} - C:\WINDOWS\System32\be.dll
O2 - BHO: - {dbd9f931-7180-494b-ac2f-c133a53de5c1} - C:\WINDOWS\System32\jgmjgzn.dll
O2 - BHO: - {df194a41-db6d-4dd1-b854-7d5125fb134b} - C:\WINDOWS\System32\phhxy.dll
O2 - BHO: - {e944ccbf-c4b2-4608-b4ca-db61c08cf4bf} - C:\WINDOWS\System32\l.dll
O2 - BHO: - {f22d9418-a27a-4578-8ca7-a34557ba994a} - C:\WINDOWS\System32\xqyzx.dll
O2 - BHO: - {fc326f25-3e25-43ad-ae8e-0b87f4ea2e4e} - C:\WINDOWS\System32\jgmjgjgd.dll
O2 - BHO: - {fdcf6e8c-f585-46b1-a5bf-592fe40e89b1} - C:\WINDOWS\System32\jyqrcb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [WheelsMouse] C:\DOCUME~1\MARK~1.MAR\LOCALS~1\Temp\6E.scr" /
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O21 - SSODL: abi-1 - {26D4D9D7-5DEC-5FC8-C88C-978461DF7661} - c:\program files\internet explorer\wtdgjww6.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:15:05 AM, 9/22/2005
+ Report-Checksum: 97CE7868
+ Scan result:
C:\WINDOWS\system\__delete_on_reboot__svchost.dll -> TrojanProxy.Small.bw : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
::Report End