Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected Computer

Started by RachelAnne , Jun 14 2006 06:07 PM

  • Please log in to reply

#1
RachelAnne
Posted 14 June 2006 - 06:07 PM

RachelAnne

    Member

  • Member
  • PipPip
  • 12 posts
My computer has been running out of space very fast, causing me to have to delete programs almost weekly
I also get popups from Windows Cleaner and various other places, that are basically saying "Buy This Product And You Won't Be Infected!"
It's really annoying and my computer is getting slower everyday.
Pleae help.


Logfile of HijackThis v1.99.1
Scan saved at 7:41:18 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\ehome\ehtray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07BD4623-2A33-4DCE-A017-3EAAEA61C7F9} - C:\WINNT\system32\udrlwboq.dll
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\jkhhe.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\awtsq.dll (file missing)
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINNT\system32\vtutt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [LapLink Server Proxy] "C:\PROGRA~1\LAPLIN~1\WProxy.exe" -l
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6BC013D0-77D9-11D5-AB95-0050DA664D35} - https://myaccounts.n...r/Yodelizer.cab
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personal.fide...lityToolbar.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: awtsq - C:\WINNT\system32\awtsq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhhe - C:\WINNT\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: vtstu - C:\WINNT\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINNT\system32\vtutt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

Advertisements

#2
Wizard
Posted 14 June 2006 - 08:12 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi RachelAnne and Welcome to GeekstoGo!


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Post back with a fresh HijackThis log and the results of CureIt along with vundofix.txt
  • 0

#3
RachelAnne
Posted 15 June 2006 - 01:15 PM

RachelAnne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:13:22 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\dumprep.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {07BD4623-2A33-4DCE-A017-3EAAEA61C7F9} - C:\WINNT\system32\udrlwboq.dll (file missing)
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\jkhhe.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINNT\system32\vtutt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [LapLink Server Proxy] "C:\PROGRA~1\LAPLIN~1\WProxy.exe" -l
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6BC013D0-77D9-11D5-AB95-0050DA664D35} - https://myaccounts.n...r/Yodelizer.cab
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personal.fide...lityToolbar.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: awtsq - C:\WINNT\system32\awtsq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhhe - C:\WINNT\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: vtstu - C:\WINNT\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINNT\system32\vtutt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe


VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.3

Scan started at 12:17:47 AM 6/15/2006

Listing files found while scanning....

C:\WINNT\system32\awtsq.dll
C:\WINNT\system32\qstwa.ini
C:\WINNT\system32\qstwa.bak1
C:\WINNT\system32\qstwa.bak2
C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.bak1
C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\ttutv.ini2
C:\WINNT\system32\ttutv.tmp
C:\WINNT\system32\jkhhe.dll

C:\WINNT\system32\qstwa.bak1
C:\WINNT\system32\qstwa.bak2
C:\WINNT\system32\qstwa.ini
C:\WINNT\system32\ttutv.bak1
C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\ttutv.tmp
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini2
C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\utstv.bak1
C:\WINNT\system32\utstv.bak2
C:\WINNT\system32\utstv.ini
C:\WINNT\system32\ttutv.ini2
C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\ttutv.tmp
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini2
C:\WINNT\system32\vtutt.dll
Attempting to delete C:\WINNT\system32\qstwa.ini
C:\WINNT\system32\qstwa.ini Has been deleted!

Attempting to delete C:\WINNT\system32\qstwa.bak1
C:\WINNT\system32\qstwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\qstwa.bak2
C:\WINNT\system32\qstwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini Could not be deleted.

Attempting to delete C:\WINNT\system32\ttutv.bak1
C:\WINNT\system32\ttutv.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\ttutv.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\ttutv.ini2
C:\WINNT\system32\ttutv.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\ttutv.tmp
C:\WINNT\system32\ttutv.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\jkhhe.dll
C:\WINNT\system32\jkhhe.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\utstv.bak1
C:\WINNT\system32\utstv.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\utstv.bak2
C:\WINNT\system32\utstv.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\utstv.ini
C:\WINNT\system32\utstv.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\vtutt.dll Could not be deleted.

Performing Repairs to the registry.
Done!




DRWEB
udrlwboq.dll;C:\WINNT\system32;Adware.Hotbot;;
jkhhe.dll;C:\WINNT\system32;Trojan.DownLoader.6408;Will be cured after reboot.;
vtutt.dll;C:\WINNT\system32;Adware.Virtumonde;;
atl.dll;C:\Program Files\Yahoo!\YPSR\Quarantine\ppq346.tmp;Trojan.AproposAd;Deleted.;
awtqn.dll;C:\WINNT\system32;Trojan.DownLoader.4412;Deleted.;
gebyx.dll;C:\WINNT\system32;Trojan.DownLoader.6408;Deleted.;
jkhhe.dll;C:\WINNT\system32;Trojan.DownLoader.6408;Will be cured after reboot.;
ssqpm.dll;C:\WINNT\system32;Trojan.DownLoader.6408;Deleted.;
ssqpn.dll;C:\WINNT\system32;Trojan.DownLoader.6123;Deleted.;
tqmxnbry.dll;C:\WINNT\system32;Adware.Hotbot;;
udrlwboq.dll;C:\WINNT\system32;Adware.Hotbot;;
  • 0

#4
Wizard
Posted 15 June 2006 - 03:48 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go to the HijackThis folder and right click HijackThis.exe

Select rename and rename it to Scan.exe

Double Click Scan.exe to launch HijackThis

Do another System Scan and Save a logfile


Post those results in the next reply please.
  • 0

#5
RachelAnne
Posted 15 June 2006 - 05:03 PM

RachelAnne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
It pops up with this error message:
"Invalid Picture"
  • 0

#6
Wizard
Posted 15 June 2006 - 05:16 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmm,OK,rename it to Peek.exe and try again??
  • 0

#7
RachelAnne
Posted 15 June 2006 - 10:11 PM

RachelAnne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
It wasn't working, and then my computer completely shut down.
The first time I tried turning it on, it tried to load Personal Settings, saying my own configurations were not able to load, then completely froze on me.
The next two times, the windows startup wouldn't even load and all I got was a blank screen.
It seems to be working now, though. I renamed HJT to Peek.exe


Logfile of HijackThis v1.99.1
Scan saved at 12:08:32 AM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\Peek.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {07BD4623-2A33-4DCE-A017-3EAAEA61C7F9} - C:\WINNT\system32\udrlwboq.dll (file missing)
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\jkhhe.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINNT\system32\vtutt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [LapLink Server Proxy] "C:\PROGRA~1\LAPLIN~1\WProxy.exe" -l
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6BC013D0-77D9-11D5-AB95-0050DA664D35} - https://myaccounts.n...r/Yodelizer.cab
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personal.fide...lityToolbar.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: awtsq - C:\WINNT\system32\awtsq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhhe - C:\WINNT\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: vtstu - C:\WINNT\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINNT\system32\vtutt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#8
Wizard
Posted 16 June 2006 - 02:26 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
If you will,please run the VundoFix again and see if it will catch those other files present?

Post any logs produced.
  • 0

#9
RachelAnne
Posted 20 June 2006 - 03:27 PM

RachelAnne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Sorry it took so long. It wouldn't turn on for the longest time because there it's running out of space really quickly.


VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.3

Scan started at 12:53:30 AM 6/17/2006

Listing files found while scanning....

C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\jkhhe.dll

Attempting to delete C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jkhhe.dll
C:\WINNT\system32\jkhhe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.3

Scan started at 11:33:45 AM 6/17/2006

Listing files found while scanning....

C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\jkhhe.dll

Attempting to delete C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\ttutv.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\jkhhe.dll
C:\WINNT\system32\jkhhe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.3

Scan started at 10:39:55 PM 6/17/2006

Listing files found while scanning....

C:\WINNT\system32\vtutt.dll
C:\WINNT\system32\ttutv.ini
C:\WINNT\system32\ttutv.bak2
C:\WINNT\system32\jkhhe.dll
  • 0

#10
Wizard
Posted 21 June 2006 - 04:26 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now a fresh HijackThis log please.
  • 0

#11
RachelAnne
Posted 21 June 2006 - 07:53 PM

RachelAnne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:53:05 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\WINNT\ehome\ehmsas.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\system32\dumprep.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\dwwin.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijack This\Peek.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O2 - BHO: (no name) - {07BD4623-2A33-4DCE-A017-3EAAEA61C7F9} - C:\WINNT\system32\udrlwboq.dll (file missing)
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\jkhhe.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINNT\system32\vtutt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [LapLink Server Proxy] "C:\PROGRA~1\LAPLIN~1\WProxy.exe" -l
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {6BC013D0-77D9-11D5-AB95-0050DA664D35} - https://myaccounts.n...r/Yodelizer.cab
O16 - DPF: {76886F39-D4D8-4F00-A354-3CC1C364F363} - http://personal.fide...lityToolbar.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O20 - Winlogon Notify: awtsq - C:\WINNT\system32\awtsq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhhe - C:\WINNT\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: vtstu - C:\WINNT\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINNT\system32\vtutt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#12
Wizard
Posted 24 June 2006 - 02:19 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download WinPFind to your C Drive.
http://download.blee...r/winpfind2.zip

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)

From the WinPFind folder-> Doubleclick WinPFind.exe to launch the program.

Under the Registry Options Column,Click Remove All.

Under the File Options Column,Click Select All.

Click Run All Standard Scans

It will take a bit to scan so please be patient.

Click Save Scans to Text File

The log (WinPFind2.txt) will be in the WinPFind folder.


Restart Normal and post those results.

Edited by Cretemonster, 24 June 2006 - 02:28 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP