Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack log [RESOLVED]


  • This topic is locked This topic is locked

#1
leepiphany

leepiphany

    New Member

  • Member
  • Pip
  • 9 posts
Hi, here is my hijackthis log, if you could provide any guidance on what to remove, I'd appreciate it. thanks so much!

Logfile of HijackThis v1.99.1
Scan saved at 7:13:12 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\kibhqrd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jonathan Lee\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshipio.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italzobd.dll (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zuxzutw] C:\WINDOWS\zuxzutw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: dbimg - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kibhqrd.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi leepiphany and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.
  • Click on My Controls at the top right hand corner of the window.
  • In the left hand column, click "View Topics"
  • If you click on the title of your post, you will be taken there
2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi! I followed your instructions, here is the new log... thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 10:23:09 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\kibhqrd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\zuxzutw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshipio.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italzobd.dll (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zuxzutw] C:\WINDOWS\zuxzutw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O20 - Winlogon Notify: dbimg - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kibhqrd.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I am sorry, your topic appears to have been misplaced during our recent server problems. If you are still in need of our services, please post a fresh HijackThis in this thread and we will get back to you as soon as possible.


Regards,

Trevuren

  • 0

#5
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi, thanks for your help. Here is a new Hijackthis log. thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 7:19:15 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshipio.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italzobd.dll (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O20 - Winlogon Notify: dbimg - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):


    • C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll

  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):


    C:\WINDOWS\$NtUninstallQ329048_RTM$\gmibd.*


    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll
    O20 - Winlogon Notify: dbimg - C:\WINDOWS\$NtUninstallQ329048_RTM$\dbimg.dll

  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Regards,

Trevuren

  • 0

#7
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi, thanks for the instructions. I completed them and posted the requested info below.

Active Scan results:

Incident Status Location

Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\pkshipio.dll
Adware:adware/bigtrafficnet No disinfected C:\Documents and Settings\Jonathan Lee\Favorites\1111\1111.url
Spyware:spyware/safesurf No disinfected C:\WINDOWS\SYSTEM32\pkshipio.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia No disinfected C:\Documents and Settings\Jonathan Lee\Favorites\1111
Spyware:spyware/betterinet No disinfected Windows Registry
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsr45.dll
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\pkshipio.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsy9.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\pf78.exe
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0025100.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026153.dll
Adware:Adware/Cmap No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026156.exe
Adware:Adware/PopupSearches No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP601\A0024098.dll
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP602\snapshot\MFEX-1.DAT
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP604\A0024148.DLL
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP606\A0024182.dll
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP588\A0023778.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024362.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024422.exe
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024424.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024425.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024426.exe
Adware:Adware/BigTrafficNet No disinfected C:\1.exe

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:25 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshipio.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italzobd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Vundo log:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\Windows\$NtUninstallQ329048_RTM$\dbimg.dll

The second filepath entered was C:\Windows\$NtUninstallQ329048_RTM$\gmibd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'

Killing PID 756 'explorer.exe'


Killing PID 220 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\Windows\$NtUninstallQ329048_RTM$\dbimg.dll Deleted sucessfully.
C:\Windows\$NtUninstallQ329048_RTM$\gmibd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please RUN HijackThis.
  • . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshipio.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italzobd.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • "End Explorer Shell While Killing File"
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\system32\pkshipio.dll
    C:\Documents and Settings\Jonathan Lee\Favorites\1111
    C:\WINDOWS\smdat32m.sys
    C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
    C:\WINDOWS\system32\nsr45.dll
    C:\WINDOWS\system32\nsy9.dll
    C:\WINDOWS\pf78.exe




  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


C. Finally, run HijackThis again, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#9
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi, here is the latest log file. thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 10:02:00 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Dyna.hq.openharbor.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

Advertisements


#11
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi, thanks for all your help. I did an activescan again just to see what would show up, and it looks I still have some infections. I'm not sure if they're critical or not, but I'll let you be the judge. If they are harmless, then I think we can start the cleanup process. thanks again!


Incident Status Location

Adware:adware/bigtrafficnet No disinfected C:\Documents and Settings\Jonathan Lee\Favorites\1111\1111.url
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia No disinfected C:\Documents and Settings\Jonathan Lee\Favorites\1111
Spyware:spyware/betterinet No disinfected Windows Registry
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsr45.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsy9.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\pf78.exe
Spyware:Spyware/SafeSurf No disinfected C:\Program Files\Hijackthis\backups\backup-20051113-214847-637.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0025100.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026153.dll
Adware:Adware/Cmap No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026156.exe
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026168.dll
Adware:Adware/PopupSearches No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP601\A0024098.dll
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP602\snapshot\MFEX-1.DAT
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP604\A0024148.DLL
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP606\A0024182.dll
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP588\A0023778.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024362.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024422.exe
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024424.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024425.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024426.exe
Adware:Adware/BigTrafficNet No disinfected C:\1.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please make sure that all hidden files are showing.

2. Reboot into Safe Mode.

3. Using Windows Explorer, please DELETE the foloowing files/folders"

C:\Documents and Settings\Jonathan Lee\Favorites\1111<===Folder
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\system32\nsr45.dll
C:\WINDOWS\system32\nsy9.dll
C:\WINDOWS\pf78.exe

4. Reboot your sytem and advise if files were deleted

Regards.

Trevuren

  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Would you please open Killbox, and click on the About Tab and give me the version number Killbox you were using?


Thanks,


Trevuren

  • 0

#14
leepiphany

leepiphany

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi, the killbox version I have doesn't have a version number, it says "Pocket Killbox version by Option Explicit Software Solutions". I thought I downloaded the version that was linked in your reply, but maybe I have the wrong version. At any rate, I tried deleting the files you suggested, and reran the activescan. Thanks for your help!


Incident Status Location

Spyware:spyware/betterinet No disinfected Windows Registry
Spyware:Spyware/SafeSurf No disinfected C:\Program Files\Hijackthis\backups\backup-20051113-214847-637.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0025100.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026153.dll
Adware:Adware/Cmap No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026156.exe
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026168.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026191.exe
Adware:Adware/BigTrafficNet No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026192.dll
Adware:Adware/BigTrafficNet No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP631\A0026193.dll
Adware:Adware/PopupSearches No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP601\A0024098.dll
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP602\snapshot\MFEX-1.DAT
Adware:Adware/HideOne No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP604\A0024148.DLL
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP606\A0024182.dll
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP588\A0023778.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024362.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024422.exe
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024424.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024425.dll
Spyware:Spyware/SafeSurf No disinfected C:\System Volume Information\_restore{E7FE717A-5711-4117-BEE9-1B81CD5C0960}\RP608\A0024426.exe
Adware:Adware/BigTrafficNet No disinfected C:\1.exe
  • 0

#15
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Reboot into Safe Mode again

2. Please delete the following file: C:1.exe

3. Reboot into Normal Mode

4. Please run HJT again and post the fresh log.


Regards,


Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP