Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HiJack list

Started by vpratt , Apr 20 2005 04:32 PM

Please log in to reply

#1
vpratt

Posted 20 April 2005 - 04:32 PM

New Member

Member
6 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:30:11 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\pgjsxul.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\vpvzlp.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AFB5B33-A1D5-40F8-9062-08645B137CEF} - (no file)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Virginia Newnum\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe
O4 - HKLM\..\Run: [lledcur] c:\windows\system32\pgjsxul.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpit.exe
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\j8l4li3q18.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#2
RKinner

Posted 22 April 2005 - 12:50 PM

Malware Expert

Expert
24,624 posts

Where to start? You have a least four different infections. Let's do the easy stuff first:

Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You just run it and
things should work OK after it reboots your system.

http://www.iup.edu/h...net/winfix.shtm

Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the System Startup Service. Double click on it and and then set the Start Type
to Disabled. Then OK.

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {0AFB5B33-A1D5-40F8-9062-08645B137CEF} - (no file)
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Virginia Newnum\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe
O4 - HKLM\..\Run: [lledcur] c:\windows\system32\pgjsxul.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpit.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\j8l4li3q18.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Wait 60 seconds and repeat the scan. Did any of the above come back? IF so
leave HijackThis up and right click on the clock and select Task Manager. Then
Processes. Find Explorer.exe, right click on it and select End Process. The
desktop will disappear but HijackThis should still be there. IF you don't see
it switch to Applications in Task Manager and highlight it there then press
Switch To or just double click on it. Check and Fix Checked the above again.
Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.

Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Start, Run, cmd, OK. This should bring up a black DOS type window. Type:

rmdir /s /q C:\WINDOWS\isrvs
del /f /q C:\Windows\System32\Drivers\delprot.sys

exit

Reboot into normal mode and run another HijackThis log.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe
and this one:
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\j8l4li3q18.dll

will probably need more work. If you have a fast link you can run:

mvave.exe.

http://www.spywarein...wnload/mwav.exe

This is a very big program. ~10 Meg so would take forever on a dialup. If you don't have a fast link then get a friend with a fast link to download it for you and burn it to a CD. Run the program and it will open up and install itself. Then just run it, brush your teeth and go to bed. (Takes hours to run!) It is the slowest program I have every used but it is thorough.

Reboot and run a new Hijacklog and post it.

Ron

#3
vpratt

Posted 22 April 2005 - 03:01 PM

New Member

Topic Starter
Member
6 posts

Logfile of HijackThis v1.99.1
Scan saved at 4:59:55 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\rundll32.exe
c:\windows\system32\owzomr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vpvzlp.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [mzfgbd] c:\windows\system32\owzomr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpit.exe
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\ir8ul5l91.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\nmlanui2.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

#4
RKinner

Posted 22 April 2005 - 03:43 PM

Malware Expert

Expert
24,624 posts

I'm about to leave the office for the weekend. If you have a fast link or a frined with a fast link and a CD burner get mwave.exe and install and run it. It will take hours to finish but it is pretty good.

http://www.spywarein...wnload/mwav.exe

Ron

#5
vpratt

Posted 22 April 2005 - 05:18 PM

New Member

Topic Starter
Member
6 posts

Why am I downloading this? I also wanted to tell you that I am still getting those Aurora popups. So I don't know if I didn't do something or what. Will this help? I still don't know why I am getting these popups. Please help.

#6
RKinner

Posted 24 April 2005 - 01:46 PM

Malware Expert

Expert
24,624 posts

mwav is a very thorough antivirus/antispyware program. It is also the only way I know of to remove the

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe

entry. The nail and most of the rest should have gone away from the first procedure so I suspect you may have left out a step or two or maybe didn't get into Safe Mode. This program will probably get them too.

Ron

#7
vpratt

Posted 25 April 2005 - 02:14 PM

New Member

Topic Starter
Member
6 posts

I ran the mwave. I am still getting the aurora popups. After I scan it, what do I do. Ididn't really see anything that i could do. I also have one more question. I use Yahoo messenger. I couldn't open it, so i uninstalled it twice and tried to download it again. It is downloading but now I can't seem to get it to sign on. Do you have any idea of why it is doing this?

#8
RKinner

Posted 25 April 2005 - 02:39 PM

Malware Expert

Expert
24,624 posts

Post a new HijackThis log and let's see where we stand.

Ron

#9
vpratt

Posted 26 April 2005 - 03:17 PM

New Member

Topic Starter
Member
6 posts

This is the latest log. Let me know if you see anything.
Thanx.

Logfile of HijackThis v1.99.1
Scan saved at 5:16:30 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vpvzlp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\m0jula191d.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

#10
RKinner

Posted 26 April 2005 - 03:42 PM

Malware Expert

Expert
24,624 posts

We have two really nasty customers left:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe

O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\m0jula191d.dll

Get Pocket Killbox from:

http://www.bleepingc...les/killbox.php

Save it, open it and run it. Put C:\WINDOWS\System32\vpvzlp.exein the box but don't try to delete it yet.

Get Advanced Process Manipulator from:

http://www.diamondcs...p?page=products

and open it, install it and run it.

Look in the upper window and see if you find vpvzlp.exe. Rightclick on it and Exit Process.

Immediately switch to PocketKillbox and press the Red button and tell it OK.

Now put C:\WINDOWS\system32\m0jula191d.dll in the box but don't kill it yet.

Switch back to Advanced Process Manipulator and select Winlogon.exe then look in the bottom pane for m0jula191d.dll right click on it and select Unload DLL. A little box will pop up with an OK button. Press it and repeat as long as the button keeps coming up. As soon as it stops try pressing the red button on the killbox. If it says it can't do it then try selecting the close Explorer while deleting button and try again. If that won't work then check the delete during reboot button and try again. Don't let it reboot yet tho. IF the file does not show up in winlogon then look in explorer.exe or iexplore.exe.

Rerun HijackThis and check Fix Checked the two entries.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vpvzlp.exe

O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\m0jula191d.dll

Ron

PS. Will look into your yahoo messenger problem and get back to you on that.