Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer - HELP!


  • This topic is locked This topic is locked

#46
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Delete the vundofix folder that you have on your desktop and redownload please.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\java\Packages\keyiis.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\java\Packages\siiyek.* This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • you can close HJT when it opens
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
[/list]
I will need you to follow the instructions for MWAV again.

post a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

Advertisements


#47
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Here is the vundo txt and new hjt log - I'll run the mwav later tonight.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 160 'smss.exe'
Threads [164][168][172]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 828 'explorer.exe'
Killing PID 828 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 248 'winlogon.exe'
Killing PID 248 'winlogon.exe'
Error 0x5 : Access is denied.

Could not delete file.
Files Deleted sucessfully.


Logfile of HijackThis v1.99.1
Scan saved at 8:28:39 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPEWWBF4Duet\plugin\bin\PCHButton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\My Documents\hjy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cruzio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DHTML Support Dll - {DC242F50-B46A-4182-B377-64A795CFED9C} - C:\WINDOWS\system32\dhtmlcore.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPEWWBF4Duet\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#48
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I need you to submit those files to the maker of vundofix.

First download this program and use it to find any file named keyiis siiyek in the C:\WINDOWS\java\Packages folder.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Enter the directory to search"
    • Enter Drive eg.. C:\
  • In the box labeled "Enter the file to search"
    • Enter the file or use *.(file extention) to search for the file(s)
  • Now click on the "Find" button
  • Once the utility has found the files click on "Export"
  • This will save a text file to your C:\ drive as "Export.txt"
  • Double click on Export.txt, copy and paste this information in your next post
Next:

Download sfp and unzip it to your desktop.
  • Double click sfp.exe thats on your desktop
  • In step one, please past in the following files(s):
    • C:\WINDOWS\java\Packages\keyiis.dll
  • Click "Continue"
  • sfp will create a cab file on your desktop called requested-files (and the date)
  • please email that file to [email protected] Put a link to this thread and name of file in email also
You can also use this program for any of the other files that you find above.

Please let me know when thats done.

Thanks,

:tazz:

Excal
  • 0

#49
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

In the box labeled "Enter the directory to search"
Enter Drive eg.. C:\
In the box labeled "Enter the file to search"
Enter the file or use *.(file extention) to search for the file(s)


Explain this a bit better, please :tazz:
  • 0

#50
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
In the first box put C:\WINDOWS\java\Packages

in the next box to the right, put keyiis.dll

for the second file put:

C:\WINDOWS\java\Packages

then in the next box put

siiyek.*

thanks,

:tazz:

Excal
  • 0

#51
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
File Find results:

C:\WINDOWS\java\Packages\keyiis.dll - 516116 Bytes


C:\WINDOWS\java\Packages\siiyek.bak1 - 178623 Bytes
C:\WINDOWS\java\Packages\siiyek.bak2 - 422597 Bytes
C:\WINDOWS\java\Packages\siiyek.ini - 181599 Bytes
C:\WINDOWS\java\Packages\siiyek.ini2 - 181710 Bytes
C:\WINDOWS\java\Packages\siiyek.tmp - 181599 Bytes
  • 0

#52
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

You can also use this program for any of the other files that you find above.

Please let me know when thats done.


Not sure that I've done this? :tazz:

sfp will create a cab file on your desktop called requested-files (and the date)

please email that file to [email protected] Put a link to this thread and name of file in email also


This I did :)
  • 0

#53
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Here is the new MWav you asked for:

Object "claria Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "sw Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "NavExcel browser helper Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\hpqimgrc.resources.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\Microsoft Works\wkwzadtx.dat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\Common Files\Microsoft Shared\WordArt\Wrdart32.hlp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - Communications.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - Company News.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - Future Outlook.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - Hot Topics.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - Meeting Agenda.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Corporate - New Product.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Album 2.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Album.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Mementos.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Moonlight Memories.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Now Playing.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Our Anniversary.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Our Family.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Our Wedding 1.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Family - Our Wedding 2.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Pinnacle\Studio 8\Menus\Holiday - Fourth of July 2.dtl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Fonts\GENUINE_.TTF". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\AppFile.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\AppFile.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Applet.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\Applet.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\AppOcr.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\AppOcr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Copy.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\Copy.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Epp.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\Epp.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\HP IntelliMover Demo" refers to invalid object "C:\Program Files\IntelliMover Data Transfer Demo\HP IntelliMover Demo". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\mplayer2.exe" refers to invalid object ""C:\Program Files\Windows Media Player\mplayer2.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\OcrEngine.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\OcrEngine.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Pyth.exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\Pyth.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Program Files\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\wksdb.exe" refers to invalid object "c:\Program Files\Microsoft Works\wksdb.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\wksss.exe" refers to invalid object "c:\Program Files\Microsoft Works\wksss.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\Program Files\PC-Doctor for Windows\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\en_us\offer_templates\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\en_us\offer_templates\hp\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Program Files\Norton Personal Firewall\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Start Menu\Programs\MediaFACE 4.01\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\DAO350" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\DAO\DAO350.DLL". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dtl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".scn". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".TMP". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VOB". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SymSetup.{C6F5B6CF-609C-428E-876F-CA83176C021B}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A655D51-1423-48A3-B748-8F5A0BE294C8}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2D4B1196-07AB-44D1-A246-D3475EADA631}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7BF7B688-4A95-4003-BA98-EA8A79DA0ABA}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}" refers to invalid object "C:\Program Files\NavExcel\NavHelper\v2.0.4b\NHelper.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC0C2640-1415-4644-875C-6F4D769839BA}" refers to invalid object ""C:\Program Files\iTunes\iTunes.exe"". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC242F50-B46A-4182-B377-64A795CFED9C}" refers to invalid object "C:\WINDOWS\system32\dhtmlcore.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E19ECCAE-D134-4DCF-AE7D-A7B719440235}" refers to invalid object "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /IMG_WIA". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{232E6276-81A8-4C5D-8B2F-D64E3FE453DB}" refers to invalid object "C:\WINDOWS\opuc.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9E93C96F-CF0D-43F6-8BA8-B807A3370712}" refers to invalid object "C:\Program Files\iTunes\iTunes.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DC242F42-B46A-4182-B377-64A795CFED9C}" refers to invalid object "C:\WINDOWS\system32\dhtmlcore.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}" refers to invalid object "C:\Program Files\NavExcel\NavHelper\v2.0.4b\NHelper.dll". Action Taken: No Action Taken.
Entry "HKCR\.mdi" refers to invalid object "MSPaper.Document". Action Taken: No Action Taken.
Entry "HKCR\.mft" refers to invalid object "MediaFACE.ProjectTemplate". Action Taken: No Action Taken.
Entry "HKCR\.sc2" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.tif" refers to invalid object "MSPaper.Document". Action Taken: No Action Taken.
Entry "HKCR\.xlr" refers to invalid object "MSWorks4Sheet". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DesignPro5.Document\shell\open\command" refers to invalid object "C:\PROGRA~1\AVERYD~1\DESIGN~1.0LI\labeler.exe /dde". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Send.WkApComp" refers to invalid object "{FAA2E095-F748-11D2-9858-00C04F72DAEE}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Send.WkApComp.6" refers to invalid object "{FAA2E095-F748-11D2-9858-00C04F72DAEE}". Action Taken: No Action Taken.
Entry "HKCR\NeroCDExtraType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroCopyType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroCueSheetType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroDVDVideoType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroHDBackupType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroMP3Type\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroUDFISOType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroVision Express.Document\shell\open\command" refers to invalid object ""C:\Program Files\Ahead\NeroVision\NeroVision.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroWMAType\shell\open\command" refers to invalid object "C:\PROGRA~1\Ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\SldSrtr.Document\shell\open\command" refers to invalid object "C:\PROGRA~1\COMMON~1\MICROS~1\MODI\11.0\MSPVIEW.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\Studio.Document\shell\open\command" refers to invalid object "C:\PROGRA~1\Pinnacle\STUDIO~1\programs\studio.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\jkkjg.dll infected by "Trojan-Downloader.Win32.ConHook.k" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\HP_Administrator\Desktop\requested-files[2005-09-24_20_54].cab tagged as "not-a-virus:AdWare.Virtumonde.o". Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\190B0DDB.cla infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2CC76B43.cla infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2CCB1540.cla infected by "Trojan.Java.ClassLoader.Dummy.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2CCB1540.zip infected by "Exploit.Java.ByteVerify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2D3A28C5.zip infected by "Trojan-Downloader.Java.OpenStream.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2D986A5D.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DAF1044.cla infected by "Trojan.Java.ClassLoader.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DAF1044.zip infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DB23A40.cla infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DB6643D.cla infected by "Trojan.Java.ClassLoader.Dummy.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2DB90E39.cla infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E0E51DC.zip infected by "Exploit.Java.ByteVerify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E2F75B8.zip infected by "Exploit.Java.ByteVerify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E321FB4.cla infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E3549B1.cla infected by "Trojan.Java.ClassLoader.Dummy.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E3873AD.cla infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2E524390.zip infected by "Trojan.Java.ClassLoader.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39577DAA.cla infected by "Trojan.Java.ClassLoader.Dummy.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7F1F5BA9.cla infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP211\A0056768.dll tagged as "not-a-virus:AdWare.MediaBack.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP246\A0063657.exe infected by "Trojan-Clicker.Win32.VB.gs" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\java\Packages\keyiis.dll tagged as "not-a-virus:AdWare.Virtumonde.o". Action Taken: No Action Taken.
File C:\WINDOWS\system32\jkkjg.dll infected by "Trojan-Downloader.Win32.ConHook.k" Virus! Action Taken: No Action Taken.
File D:\I386\Apps\APP25667\App25667.exe tagged as "not-a-virus:AdWare.WinAD". Action Taken: No Action Taken.
File C:\WINDOWS\java\Packages\keyiis.dll tagged as "not-a-virus:AdWare.Virtumonde.o". Action Taken: No Action Taken.
File C:\WINDOWS\system32\jkkjg.dll infected by "Trojan-Downloader.Win32.ConHook.k" Virus! Action Taken: No Action Taken.
  • 0

#54
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
:tazz:
  • 0

#55
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Use the SFP program that you downloaded to email those files you found with FINDIT to the email address listed please. Let me know when thats done.

Thanks,

:tazz:

Excal
  • 0

Advertisements


#56
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Ok, emailed the files a few minutes ago. :tazz:

what's next?
  • 0

#57
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Let us look at the file and I will get back to you on it :)

OK?

:tazz:

Excal
  • 0

#58
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please run the instructions for post #46 one more time in regular mode.


thanks,

:tazz:

Excal
  • 0

#59
fluffhead

fluffhead

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Here's the new NJT log, vundo txt is below. I'll do an MWav scan tonight. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 7:53:52 PM, on 9/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPEWWBF4Duet\plugin\bin\PCHButton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\My Documents\hjy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cruzio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DHTML Support Dll - {DC242F50-B46A-4182-B377-64A795CFED9C} - C:\WINDOWS\system32\dhtmlcore.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPEWWBF4Duet\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



vundo txt:
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 544 'smss.exe'
Threads [548][552][556]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1568 'explorer.exe'
Killing PID 1568 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 624 'winlogon.exe'
Killing PID 624 'winlogon.exe'
Could not delete file.
Could not delete files.
  • 0

#60
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
For this to even work, You WILL NEED a genuine XP CD. A recovery CD like you get with many OEM machines will not work. If you only have the recovery disk, do you know of anyone who has the "real" XP CD who would let you borrow it?

First you need to create a dummy file.
Open the C:\WINDOWS\java\Packages directory. Right click new>text, name it keyiis.old
Open the cd tray, slip in the XP disk and reboot.
The machine will need to have boot from cd first enabled in the BIOS. Most are already.
Upon boot up, watch the screen for a 'Press any key to boot from cd' and press any key
Setup will transfer files and stop at an options screen. Choose R for recovery console.
You will be prompted for the Administrator password. If none was set, press enter.
You will be offered which installation to start, eg;
1. C:\Windows
Press 1 and enter.
You will arrive at a C:\Windows prompt.
Type cd C:\WINDOWS\java\Packages and hit enter.
Now to remove any attributes from and delete the file, then rename the dummy. Type and hit enter after each line.

attrib -r keyiis.dll
attrib -h keyiis.dll
attrib -s keyiis.dll
del keyiis.dll
rename keyiis.old keyiis.dll
exit

Important Note Make sure to include ALL spaces between words exactly as indicated above.

The machine will restart. Either take the cd out right away or do not touch any keys until you get to the Welcome screen so that it skips the boot from cd option.



after reboot, Delete the dummy file you made earlier, reboot and post a new HiJackThis log.

please run the MWav again and lets see if its gone.


thanks,

:tazz:

Excal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP