Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer popup [RESOLVED]


  • This topic is locked This topic is locked

#31
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
How do I get WINLOGON to stop using the jkhfe.dll file?
I tried to delete the file manually, but it said that I can't because the file is in use.

any ideas?
  • 0

Advertisements


#32
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Well, if the HJT log was created after the Symantec VundoRemovalTool was used and claimed it did everything and after a REBOOT, then it was useless.

Often HJT logs we see posted are not created after a reboot and therefore do not show a true position. So that is my first observation, with the question, did you reboot before rescanning with HJT?

Now another member of staff (a person with considerable knowledge) has made the comment that the Vundo infection is in the family account and that you no longer use that one. I too think this is why you are having so many problems.

What I want to know is what accounts do you have on the PC (name them) and tell me the rights also.

Finally, there is another suggestion for a fix:

Download VirtumundoBegone and save it to your desktop.

http://secured2k.hom...mundoBeGone.exe

Reboot your computer into Safe Mode

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.

Please post the log it creates into your next reply
  • 0

#33
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
[11/19/2005, 14:48:29] - Starting Process...
[11/19/2005, 14:48:29] - Looking for Browser Helper Object [MSEvents Object]
[11/19/2005, 14:48:29] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:48:29] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:48:29] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:48:29] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:48:29] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:48:30] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:30] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:48:30] - Found MSEvents Object!
[11/19/2005, 14:48:30] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:30] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:30] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:30] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:30] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:30] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:31] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:31] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:31] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:31] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:48:31] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:31] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:31] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:31] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:48:31] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:31] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:48:31] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:48:31] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:48:31] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:48:31] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:48:31] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:48:31] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:48:31] - Found MSEvents Object!
[11/19/2005, 14:48:31] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:31] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:31] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:31] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:32] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:32] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:32] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:32] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:33] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:33] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:48:33] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:33] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:34] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:34] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:48:34] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:34] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:48:34] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:48:34] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:48:35] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:48:36] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:48:36] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:36] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:48:36] - Found MSEvents Object!
[11/19/2005, 14:48:36] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:36] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:36] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:36] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:36] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:36] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:36] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:37] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:37] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:37] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:48:37] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:37] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:37] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:37] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:48:37] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:37] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:48:37] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:48:37] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:48:37] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:48:37] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:48:37] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:48:37] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:48:37] - Found MSEvents Object!
[11/19/2005, 14:48:37] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:37] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:37] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:37] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:37] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:38] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:38] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:38] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:38] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:38] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:48:38] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:38] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:39] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:39] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:48:40] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:41] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:48:42] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:48:43] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:48:43] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:48:43] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:48:44] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:44] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:48:44] - Found MSEvents Object!
[11/19/2005, 14:48:44] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:44] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:44] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:44] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:44] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:44] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:44] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:44] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:45] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:45] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:48:45] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:45] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:45] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:45] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:48:45] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:45] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:48:45] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:48:45] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:48:45] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:48:45] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:48:45] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:48:45] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:48:45] - Found MSEvents Object!
[11/19/2005, 14:48:45] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:45] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:45] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:46] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:48] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:48] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:48] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:48] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:48] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:48] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:48:48] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:48] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:51] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:51] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:48:51] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:51] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:48:51] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:48:51] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:48:51] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:48:51] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:48:54] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:54] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:48:54] - Found MSEvents Object!
[11/19/2005, 14:48:54] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:54] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:48:54] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:54] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:55] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:55] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:55] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:55] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:55] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:55] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:48:56] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:56] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:56] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:48:56] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:48:56] - BHO list has been changed! Starting over...
[11/19/2005, 14:48:56] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:48:56] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:48:56] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:48:56] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:48:56] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:48:56] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:48:56] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:48:56] - Found MSEvents Object!
[11/19/2005, 14:48:56] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:56] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:48:56] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:48:56] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:48:56] - Disabling Automatic Shell Restart
[11/19/2005, 14:48:57] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:48:57] - Suspending the NT Session Manager System Service
[11/19/2005, 14:48:57] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:48:57] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:48:58] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:48:58] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:48:58] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:59] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:48:59] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:00] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:00] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:00] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:00] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:00] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:00] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:01] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:01] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:01] - Found MSEvents Object!
[11/19/2005, 14:49:01] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:01] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:01] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:01] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:01] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:01] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:01] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:01] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:01] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:02] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:02] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:02] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:02] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:02] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:02] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:02] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:02] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:02] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:02] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:02] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:02] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:02] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:02] - Found MSEvents Object!
[11/19/2005, 14:49:02] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:02] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:02] - Terminating Process: RUNDLL32.EXE

[11/19/2005, 14:49:21] - Starting Process...
[11/19/2005, 14:49:21] - Looking for Browser Helper Object [MSEvents Object]
[11/19/2005, 14:49:21] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:21] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:21] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:21] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:21] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:21] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:21] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:21] - Found MSEvents Object!
[11/19/2005, 14:49:21] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:21] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:21] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:21] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:21] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:22] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:22] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:22] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:22] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:22] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:22] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:22] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:23] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:23] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:23] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:23] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:23] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:23] - Checking for WinLogon Notify reference. (File: )
[11/19/2005, 14:49:23] - Couldn't find in Winlogon Notify. Ignoring {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}.
[11/19/2005, 14:49:23] - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:23] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:23] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:23] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:23] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:23] - 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:23] - 5: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:23] - Found MSEvents Object!
[11/19/2005, 14:49:23] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:23] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:23] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:25] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:25] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:26] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:26] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:26] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:26] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:27] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:49:27] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:27] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:28] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:28] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:29] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:29] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:29] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:29] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:29] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:30] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:32] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:32] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:32] - Found MSEvents Object!
[11/19/2005, 14:49:32] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:32] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:32] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:32] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:32] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:33] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:33] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:33] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:33] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:33] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:33] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:33] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:33] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:33] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:33] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:33] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:33] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:33] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:33] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:33] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:33] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:33] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:33] - Found MSEvents Object!
[11/19/2005, 14:49:33] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:33] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:33] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:33] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:33] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:34] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:35] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:35] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:35] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:35] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:49:35] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:35] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:35] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:35] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:37] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:37] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:37] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:37] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:37] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:37] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:38] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:39] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:39] - Found MSEvents Object!
[11/19/2005, 14:49:39] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:39] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:39] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:39] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:39] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:39] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:39] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:39] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:39] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:40] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:40] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:40] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:41] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:41] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:41] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:41] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:41] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:41] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:41] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:41] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:41] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:41] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:41] - Found MSEvents Object!
[11/19/2005, 14:49:41] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:41] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:41] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:41] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:41] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:43] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:43] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:43] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:43] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:43] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:49:44] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:44] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:45] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:45] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:45] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:45] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:45] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:45] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:45] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:46] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:47] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:47] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:47] - Found MSEvents Object!
[11/19/2005, 14:49:47] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:47] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:47] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:47] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:47] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:47] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:48] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:48] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:48] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:48] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:48] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:48] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:48] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:48] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:48] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:48] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:48] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:48] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:48] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:48] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:48] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:48] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:48] - Found MSEvents Object!
[11/19/2005, 14:49:49] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:50] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:50] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:51] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:51] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:51] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:51] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:51] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:51] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:52] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:49:52] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:52] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:52] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:52] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:52] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:52] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:52] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:52] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:52] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:52] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:53] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:53] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:53] - Found MSEvents Object!
[11/19/2005, 14:49:53] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:53] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:53] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:53] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:53] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:54] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:55] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:55] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:55] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:55] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:49:55] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:55] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:55] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:49:55] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:49:55] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:55] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:49:55] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:49:55] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:49:55] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:49:55] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:49:55] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:49:55] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:49:55] - Found MSEvents Object!
[11/19/2005, 14:49:55] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:55] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:49:55] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:55] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:56] - Disabling Automatic Shell Restart
[11/19/2005, 14:49:57] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:49:57] - Suspending the NT Session Manager System Service
[11/19/2005, 14:49:57] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:49:57] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:49:58] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:49:58] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:49:58] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:58] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:49:58] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:49:58] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:58] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:49:58] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:49:58] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:49:58] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:49:58] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:49:59] - BHO list has been changed! Starting over...
[11/19/2005, 14:49:59] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:49:59] - Found MSEvents Object!
[11/19/2005, 14:49:59] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:59] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:49:59] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:49:59] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:49:59] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:00] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:01] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:01] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:01] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:01] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:01] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:01] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:01] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:01] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:01] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:01] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:01] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:01] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:01] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:01] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:01] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:01] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:01] - Found MSEvents Object!
[11/19/2005, 14:50:01] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:01] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:01] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:01] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:01] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:02] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:03] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:03] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:03] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:03] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:03] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:03] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:03] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:03] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:50:03] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:03] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:03] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:03] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:03] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:50:04] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:50:05] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:05] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:50:05] - Found MSEvents Object!
[11/19/2005, 14:50:05] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:05] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:05] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:05] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:05] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:05] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:05] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:05] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:05] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:06] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:06] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:06] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:06] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:06] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:06] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:06] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:06] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:06] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:06] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:06] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:06] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:06] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:06] - Found MSEvents Object!
[11/19/2005, 14:50:06] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:06] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:06] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:06] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:06] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:07] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:08] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:08] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:09] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:09] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:09] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:09] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:12] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:12] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:50:12] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:12] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:12] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:12] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:12] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:50:13] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:50:13] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:13] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:50:13] - Found MSEvents Object!
[11/19/2005, 14:50:13] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:13] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:13] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:13] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:13] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:13] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:13] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:14] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:14] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:14] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:14] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:14] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:14] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:14] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:14] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:14] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:14] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:14] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:14] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:14] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:14] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:14] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:14] - Found MSEvents Object!
[11/19/2005, 14:50:14] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:14] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:14] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:14] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:15] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:16] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:16] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:16] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:16] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:17] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:17] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:17] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:17] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:17] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:50:17] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:17] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:17] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:17] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:17] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:50:17] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:50:20] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:20] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:50:20] - Found MSEvents Object!
[11/19/2005, 14:50:20] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:20] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:20] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:20] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:20] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:21] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:24] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:24] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:24] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:24] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:24] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:24] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:24] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:24] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:24] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:24] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:24] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:24] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:24] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:24] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:24] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:24] - 4: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:24] - Found MSEvents Object!
[11/19/2005, 14:50:24] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:24] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:24] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:25] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:25] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:25] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:26] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:26] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:26] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:26] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:26] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:26] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:26] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:26] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:50:26] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:26] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:26] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:26] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:26] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:50:26] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:50:27] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:27] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:50:27] - Found MSEvents Object!
[11/19/2005, 14:50:27] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:27] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:27] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:27] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:27] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:27] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:27] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:27] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:27] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:28] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:30] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:30] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:31] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:31] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:31] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:31] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:31] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:31] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:32] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:32] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:32] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:32] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:32] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:32] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:32] - 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:32] - 5: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:32] - Found MSEvents Object!
[11/19/2005, 14:50:32] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:32] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:32] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:33] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:33] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:34] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:34] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:35] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:35] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:35] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:35] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:35] - Removing Registry references to {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:38] - Adding Internet Explorer Protection (Kill ActiveX) for {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[11/19/2005, 14:50:38] - Removing Winlogon Notify Entry: jkhfe
[11/19/2005, 14:50:38] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:38] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:38] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:38] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:38] - Found a reference to C:\WINDOWS\system32\ddayy.dll in Winlogon Notify! This is most likely Virtumundo!
[11/19/2005, 14:50:38] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/19/2005, 14:50:39] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:39] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/19/2005, 14:50:39] - Found MSEvents Object!
[11/19/2005, 14:50:39] - File location: C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:39] - Attempting to kill C:\WINDOWS\system32\ddayy.dll
[11/19/2005, 14:50:39] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:39] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:39] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:40] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:40] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:40] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:40] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:40] - Renaming C:\WINDOWS\system32\ddayy.dll -> C:\WINDOWS\system32\ddayy.dll.vir
[11/19/2005, 14:50:40] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/19/2005, 14:50:40] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:41] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/19/2005, 14:50:41] - Removing Winlogon Notify Entry: ddayy
[11/19/2005, 14:50:42] - BHO list has been changed! Starting over...
[11/19/2005, 14:50:42] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/19/2005, 14:50:42] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/19/2005, 14:50:42] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\ddayy.dll)
[11/19/2005, 14:50:42] - Couldn't find ddayy in Winlogon Notify. Ignoring {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}.
[11/19/2005, 14:50:42] - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/19/2005, 14:50:42] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/19/2005, 14:50:42] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/19/2005, 14:50:42] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/19/2005, 14:50:42] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/19/2005, 14:50:42] - 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/19/2005, 14:50:42] - 5: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - MSEvents Object
[11/19/2005, 14:50:42] - Found MSEvents Object!
[11/19/2005, 14:50:42] - File location: C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:42] - Attempting to kill C:\WINDOWS\system32\jkhfe.dll
[11/19/2005, 14:50:42] - Terminating Process: RUNDLL32.EXE
[11/19/2005, 14:50:42] - Terminating Process: IEXPLORE.EXE
[11/19/2005, 14:50:42] - Disabling Automatic Shell Restart
[11/19/2005, 14:50:43] - Terminating Process: EXPLORER.EXE
[11/19/2005, 14:50:43] - Suspending the NT Session Manager System Service
[11/19/2005, 14:50:43] - Terminating Windows NT Logon/Logoff Manager
[11/19/2005, 14:50:43] - Re-enabling Automatic Shell Restart
[11/19/2005, 14:50:43] - Renaming C:\WINDOWS\system32\jkhfe.dll -> C:\WINDOWS\system32\jkhfe.dll.vir
[11/19/2005, 14:50:43] - File rename was unsuces
  • 0

#34
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Well that didn't work either.

What about the answers to the questions posed?

Often HJT logs we see posted are not created after a reboot and therefore do not show a true position. So that is my first observation, with the question, did you reboot before rescanning with HJT?

Now another member of staff (a person with considerable knowledge) has made the comment that the Vundo infection is in the family account and that you no longer use that one. I too think this is why you are having so many problems.

What I want to know is what accounts do you have on the PC (name them) and tell me the rights also.


Also, please submit the bad files

C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\jkhfe.dll

to this address for scrutiny: http://www.thespykiller.co.uk/forum

Scroll down to UPLOADS and follow the instructions.
  • 0

#35
dvk01

dvk01

    Malware Expert

  • Visiting Consultant
  • 201 posts
  • MVP
sorry to jump in here but we need some copies of thsi new version of Vundo to see why none of the tools are working

please do this for us

download suspicious file packer from http://www.safer-net...ools/index.html and unzip it to desktop, open it &
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykil...x.php?board=1.0 so we can examine the files

C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll.vir
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ddayy.dll.vir

I've added the .vir ones as well just in case they have been renamed despite the log saying not

please use whichever method you find easiest to get the files to us

Edited by dvk01, 20 November 2005 - 03:57 AM.

  • 0

#36
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
well here are the questions to the answers posted:

I scanned with HJT before I rebooted and after I rebooted.

and

The two accounts I have on this computer are mine (administrative rights) and the Family account (limited rights)
  • 0

#37
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
(referring to Crustyoldbloke's post)
one problem...

I can't seem to locate ddayy.dll

Edited by shinebindi, 20 November 2005 - 10:34 AM.

  • 0

#38
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

I assume you will accommodate dvk01 request for the files, it is very important if this is a new infection. make sure you have set your system to show all files; please see here if you're unsure how to do this.

Now I want you to reverse the rights on the user accounts. i.e. I want the Family Account to be admin and your own to be limited. Then I want you to logon into the Family Account and run the fix as before.

Let me know the outcome please; there are a few people tracking this thread now.
  • 0

#39
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
you want me to run the VundoFix on the Family account (administrative rights now)??
  • 0

#40
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
we only got rid of the BHO for jkhfe.dll... we still have to tackle the WINLOGON of it and the new ddayy.dll


Logfile of HijackThis v1.99.1
Scan saved at 12:05:09 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Browser mouse\1.2\mouse32a.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HiJack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Brother MFL Pro Remote Setup] C:\Program Files\Brother\BRMFLPRO\brsmirsp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123553964031
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.ai...AIM.9.5.1.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddayy - C:\WINDOWS\SYSTEM32\ddayy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Bindi\Local Settings\Temporary Internet Files\Content.IE5\WRTXGTCZ\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

Edited by shinebindi, 20 November 2005 - 12:12 PM.

  • 0

Advertisements


#41
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
And the VundoFix log?
  • 0

#42
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\jkhfe.dll

The second filepath entered was C:\WINDOWS\system32\efhkj.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 560 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 1676 'explorer.exe'
Error 0x6 : The handle is invalid.



Killing PID 656 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\jkhfe.dll.
C:\WINDOWS\system32\efhkj.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#43
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

There is some merit in this idea and if the problem is one of rights, it gets round it quite nicely. I would have thought of it myself, but not until 2010, by which time I'd be too old.

Download Vundo Fix to a floppy diskette or a CD

Go into Safe Mode and log in under the Administrator Account if possible.

Force explorer to load by going to START>RUN and typing in C:\Windows\Explorer.exe into the Run Box and hitting ENTER.

You should then see this:

Killing PID 136 'smss.exe'
Error 0x6 : The handle is invalid.

Error, Cannot find a process with an image name of explorer.exe

Killing PID 208 'winlogon.exe'
Error 0x6 : The handle is invalid.

Install the Vundo Fix from the floppy or CD and run as instructed in previous attempts.

When complete, please post vundofix log

Also, at the request of dvk01, I wonder if you would be kind enough to do this please?

Please download log2.bat to your desktop from http://www.thespykil.../files/log2.bat

Double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully.

It will only pop up for the briefest flash

Now go to C:\ and look for log2.txt ready for uploading

It will be too big to upload here so go to http://www.thespykil...x.php?board=1.0 and upload there.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the file on your computer. When the file is listed in the windows press send to upload the files.

Thank you.

Edited by Crustyoldbloke, 20 November 2005 - 02:27 PM.

  • 0

#44
dvk01

dvk01

    Malware Expert

  • Visiting Consultant
  • 201 posts
  • MVP
can you also see if you can find these files
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\efhkj.ini.
C:\WINDOWS\SYSTEM32\yyadd.ini

if you can upload them to spykiller so we can work on an updated tool for this pest
  • 0

#45
shinebindi

shinebindi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
there was a problem...
when I typed in "C:\Windows\Explorer.exe" into the Run box.. My Documents popped up..with a frame on the left that had MY COMPUTER, My Network Places...



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\jkhfe.dll

The second filepath entered was C:\WINDOWS\system32\efhkj.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'


Killing PID 208 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\jkhfe.dll.
C:\WINDOWS\system32\efhkj.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Edited by shinebindi, 22 November 2005 - 09:24 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP