 |  |  |  |  |  |  |  |
.EXE, .ZIP, .RAR won't open.
Thread Solved |
My computer won't register any of these.. I try to open a program, extract a rar or zip and nothing happens. Here is my other post http://www.daniweb.com/forums/thread90468.html
Here is my HJT log:
Thanks for all and any help :]
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:30:13 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\apache2triad\bin\apache.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\taskmgr.exe
c:\program files\aim6\anotify.exe
C:\progra~1\HJT\HJT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A4D98A-864E-4BA2-998D-9C58EE7556C2} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {31657B86-01E9-43C8-A0C5-F02BE201455c} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {4EBC417D-C9A7-4FD3-8135-7E33E63B051F} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\ljjkheb.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {9E7FA759-B446-4E57-AF42-A97A948B6CB3} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {9F0AD5E8-002F-4666-8F74-B5457C89FDD0} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {A8CE4D48-E68D-4FE4-89FE-300731C77148} - C:\WINDOWS\system32\nnsqqmqc.dll
O2 - BHO: (no name) - {B064D7DD-F68F-4D03-9C37-C86C2D72D4B7} - C:\WINDOWS\system32\nnsqqmqc.dll
O2 - BHO: (no name) - {E5D48306-2B38-4D8C-B74C-8C4F420E02F2} - C:\WINDOWS\system32\henclvoc.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\hvrramje.dll",forkonce
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\narrshwh.dll",sitypnow
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Taylor\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163462521328
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F6B734-BA66-426F-89D0-0FDE45917491}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A9DCDA8-97A7-4902-A9B5-8A0F8F534386}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9EAACB2-AC23-441F-98E2-DE667442E568}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (mysql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
--
End of file - 10919 bytesThanks for all and any help :]
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
You say you've hit it with AV... but what about AS? The log is LOADED, and you have two resident AV services - that is not good, one is all you can run. Remove one now. You have a redirector, vundo, bunch of trojan/spywares...
Help? Okay...
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F6B734-BA66-426F-89D0-0FDE45917491}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A9DCDA8-97A7-4902-A9B5-8A0F8F534386}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9EAACB2-AC23-441F-98E2-DE667442E568}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
You have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
==MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant. Use hijackthis to remove all BHO's, toolbars, reg startups, context menu items , anything with MyWeb in it.
Depending upon how your sys works you may have to take those dl's on a pen drive or other removable media, eg CDRW.
Help? Okay...
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F6B734-BA66-426F-89D0-0FDE45917491}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A9DCDA8-97A7-4902-A9B5-8A0F8F534386}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9EAACB2-AC23-441F-98E2-DE667442E568}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: NameServer = 85.255.116.40,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.40 85.255.112.115
You have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
==MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant. Use hijackthis to remove all BHO's, toolbars, reg startups, context menu items , anything with MyWeb in it.
Depending upon how your sys works you may have to take those dl's on a pen drive or other removable media, eg CDRW.
Last edited by gerbil; Sep 24th, 2007 at 1:19 am.
Deep, deep in the woods, but walking about.
O2 - BHO: (no name) - {4EBC417D-C9A7-4FD3-8135-7E33E63B051F} - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
These look dodgy and as Gerbil suspects, you need to get rid of a Trojan. I didn't see a telltale ldoger (.EXE) in your root C:\ - but the trojan manifests itself in various ways.
You could also see my post on 24-Aug which provides a step by step cleansing approach if you can put your disk drive into an external USB enclosure on a different PC. I was happoer doing this because I wasn't operating on the live system.
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
These look dodgy and as Gerbil suspects, you need to get rid of a Trojan. I didn't see a telltale ldoger (.EXE) in your root C:\ - but the trojan manifests itself in various ways.
You could also see my post on 24-Aug which provides a step by step cleansing approach if you can put your disk drive into an external USB enclosure on a different PC. I was happoer doing this because I wasn't operating on the live system.
Last edited by Suspishio; Sep 24th, 2007 at 8:34 am.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Hi, jamlpr, that link is up - I suspect your hosts file may be blocking you, some malware make undesirable entries...
There are tools to fix it, try this:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click Restore MS Hosts File button.
Some security applications, possibly also various malware, will lock your Hosts file [as a protection]. If HostsXpert is unable to restore your file check for applications which may have incidentally locked it. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools,Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
-and then of course you can edit it manually [you may have to run the above command first]
A sample hosts file [mine]:-
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
____________________________________________________
There are tools to fix it, try this:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click Restore MS Hosts File button.
Some security applications, possibly also various malware, will lock your Hosts file [as a protection]. If HostsXpert is unable to restore your file check for applications which may have incidentally locked it. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools,Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
-and then of course you can edit it manually [you may have to run the above command first]
A sample hosts file [mine]:-
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
____________________________________________________
Deep, deep in the woods, but walking about.
Here's my HJT log:
I could not get rid of what Suspishio asked me to. Those also wouldn't remove with VundoFix!
Here's the vundo fix log!
Thank you! :]
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:06:47 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\apache2triad\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\progra~1\HJT\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A4D98A-864E-4BA2-998D-9C58EE7556C2} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {31657B86-01E9-43C8-A0C5-F02BE201455c} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55006F80-EA7A-4C99-95CE-112018CF483B} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\ljjkheb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {9E7FA759-B446-4E57-AF42-A97A948B6CB3} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {9F0AD5E8-002F-4666-8F74-B5457C89FDD0} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {A8CE4D48-E68D-4FE4-89FE-300731C77148} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {B064D7DD-F68F-4D03-9C37-C86C2D72D4B7} - C:\WINDOWS\system32\nnsqqmqc.dll (file missing)
O2 - BHO: (no name) - {E5D48306-2B38-4D8C-B74C-8C4F420E02F2} - C:\WINDOWS\system32\henclvoc.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Taylor\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163462521328
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (mysql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
--
End of file - 9305 bytesI could not get rid of what Suspishio asked me to. Those also wouldn't remove with VundoFix!
Here's the vundo fix log!
VundoFix V6.5.9 Checking Java version... Java version is 1.5.0.2 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 9:44:48 PM 9/24/2007 Listing files found while scanning.... C:\windows\system32\acbeg.tmp C:\windows\system32\ahaeirld.dll C:\windows\system32\aiodmqxw.dll C:\windows\system32\awtqn.dll C:\windows\system32\awtqo.dll C:\windows\system32\awtqp.dll C:\windows\system32\awtsp.dll C:\windows\system32\awtsq.dll C:\windows\system32\awtsr.dll C:\windows\system32\awtss.dll C:\windows\system32\awvtr.dll C:\windows\system32\awvtt.dll C:\windows\system32\awvtu.dll C:\windows\system32\awvvt.dll C:\windows\system32\awvvu.dll C:\windows\system32\awvvv.dll C:\windows\system32\awvvw.dll C:\windows\system32\bdjwoxlc.ini C:\windows\system32\bjhbxkry.ini C:\windows\system32\btpcgkju.dll C:\windows\system32\chfnesnu.dll C:\windows\system32\clxowjdb.dll C:\windows\system32\ctwgdjal.dll C:\windows\system32\cwjfgfbq.ini C:\windows\system32\dblkfkjp.dll C:\windows\system32\ddabb.dll C:\windows\system32\ddaby.dll C:\windows\system32\ddayv.dll C:\windows\system32\ddayw.dll C:\windows\system32\ddayx.dll C:\windows\system32\ddayy.dll C:\windows\system32\ddcca.dll C:\windows\system32\ddccb.dll C:\windows\system32\ddccc.dll C:\windows\system32\ddccd.dll C:\windows\system32\ddcya.dll C:\windows\system32\ddcyv.dll C:\windows\system32\ddcyw.dll C:\windows\system32\ddcyx.dll C:\windows\system32\ddcyy.dll C:\windows\system32\dlrieaha.ini C:\windows\system32\dwvixdcv.dll C:\windows\system32\dytmnkgp.ini C:\windows\system32\dytmnkgp.tmp C:\windows\system32\ehkmp.ini C:\windows\system32\gcqvugpq.ini C:\windows\system32\gebca.dll C:\windows\system32\gebcb.dll C:\windows\system32\gebcd.dll C:\windows\system32\gebcy.dll C:\windows\system32\gebya.dll C:\windows\system32\gebyw.dll C:\windows\system32\gebyx.dll C:\windows\system32\geeba.dll C:\windows\system32\geebb.dll C:\windows\system32\geebc.dll C:\windows\system32\geeby.dll C:\windows\system32\geeda.dll C:\windows\system32\geedb.dll C:\windows\system32\geedc.dll C:\windows\system32\geede.dll C:\windows\system32\gmfffrjv.dll C:\WINDOWS\system32\gntdoype.dll C:\windows\system32\hiydnyet.dll C:\WINDOWS\system32\hvrramje.dll C:\windows\system32\hwhsrran.ini C:\windows\system32\iuxavtfs.ini C:\windows\system32\ixskhpaj.dll C:\windows\system32\japhksxi.ini C:\windows\system32\jkhfd.dll C:\windows\system32\jkhfe.dll C:\windows\system32\jkhff.dll C:\windows\system32\jkhhe.dll C:\windows\system32\jkhhf.dll C:\windows\system32\jkhhh.dll C:\windows\system32\jkhhi.dll C:\windows\system32\jkkjg.dll C:\windows\system32\jkkjh.dll C:\windows\system32\jkkji.dll C:\windows\system32\jkkli.dll C:\windows\system32\jkklj.dll C:\windows\system32\jkklk.dll C:\windows\system32\jkkll.dll C:\windows\system32\jtsyetpm.ini C:\WINDOWS\system32\kkbuuxxg.dll C:\windows\system32\kmxeopgy.ini C:\windows\system32\kxqcneun.ini C:\windows\system32\lajdgwtc.ini C:\windows\system32\lctugmcb.dll C:\WINDOWS\system32\ljjkheb.dll C:\windows\system32\llkkj.bak1 C:\windows\system32\llkkj.ini C:\windows\system32\mljgd.dll C:\windows\system32\mljgf.dll C:\windows\system32\mljgg.dll C:\windows\system32\mljgh.dll C:\windows\system32\mljjh.dll C:\windows\system32\mljji.dll C:\windows\system32\mljjj.dll C:\windows\system32\mljjk.dll C:\windows\system32\mlljh.dll C:\windows\system32\mllji.dll C:\windows\system32\mlljj.dll C:\windows\system32\mlljk.dll C:\windows\system32\mllmj.dll C:\windows\system32\mllmk.dll C:\windows\system32\mllml.dll C:\windows\system32\mllmm.dll C:\windows\system32\moxquqkw.ini C:\windows\system32\mpteystj.dll C:\windows\system32\narrshwh.dll C:\windows\system32\ncnsvent.dll C:\windows\system32\neglfego.ini C:\windows\system32\nfdxskis.dll C:\windows\system32\njoaaqbc.dll C:\windows\system32\nnsqqmqc.dll C:\windows\system32\nuencqxk.dll C:\windows\system32\ogeflgen.dll C:\windows\system32\oixsfjbm.dll C:\windows\system32\pgknmtyd.dll C:\WINDOWS\system32\pgovcggr.dll C:\windows\system32\pmkhe.dll C:\windows\system32\pmkhf.dll C:\windows\system32\pmkhh.dll C:\windows\system32\pmkhi.dll C:\windows\system32\pmkjg.dll C:\windows\system32\pmkjh.dll C:\windows\system32\pmkji.dll C:\windows\system32\pmkjk.dll C:\windows\system32\pmnli.dll C:\windows\system32\pmnlj.dll C:\windows\system32\pmnll.dll C:\windows\system32\pmnlm.dll C:\windows\system32\pmnnk.dll C:\windows\system32\pmnnl.dll C:\windows\system32\pmnnm.dll C:\windows\system32\pmnnn.dll C:\windows\system32\pmnno.dll C:\windows\system32\qbfgfjwc.dll C:\windows\system32\qfpclbkx.dll C:\windows\system32\qonwjqyb.dll C:\windows\system32\qpguvqcg.dll C:\windows\system32\rmwjxmsr.ini C:\windows\system32\rrqss.bak1 C:\windows\system32\rrqss.bak2 C:\windows\system32\rrqss.ini C:\windows\system32\rrqss.ini2 C:\windows\system32\rrqss.tmp C:\windows\system32\rsmxjwmr.dll C:\windows\system32\rynllyev.ini C:\windows\system32\sddaqhhy.ini C:\windows\system32\sftvaxui.dll C:\windows\system32\siksxdfn.ini C:\windows\system32\sjglxxmy.ini C:\windows\system32\sqxhlblw.ini C:\windows\system32\sskxowrx.ini C:\windows\system32\ssqpm.dll C:\windows\system32\ssqpo.dll C:\windows\system32\ssqpp.dll C:\windows\system32\ssqpq.dll C:\windows\system32\ssqrq.dll C:\WINDOWS\system32\ssqrr.dll C:\windows\system32\sstqo.dll C:\windows\system32\sstqp.dll C:\windows\system32\sstqq.dll C:\windows\system32\sstqr.dll C:\windows\system32\ssttq.dll C:\windows\system32\ssttr.dll C:\windows\system32\sstts.dll C:\windows\system32\ssttt.dll C:\windows\system32\ssttu.dll C:\windows\system32\sstwa.tmp C:\windows\system32\stutv.bak1 C:\windows\system32\stutv.ini2 C:\windows\system32\stutv.tmp C:\windows\system32\tapdtmfv.dll C:\windows\system32\teyndyih.ini C:\windows\system32\thvgvvyx.ini C:\windows\system32\tnevsncn.ini C:\windows\system32\tnkpjxlg.dll C:\windows\system32\ugoiguou.dll C:\windows\system32\ujkgcptb.ini C:\windows\system32\uougiogu.ini C:\windows\system32\utvwa.bak1 C:\windows\system32\utvwa.ini C:\windows\system32\vcdxivwd.ini C:\windows\system32\veyllnyr.dll C:\windows\system32\vfmtdpat.ini C:\windows\system32\vjrfffmg.ini C:\windows\system32\vpawenrv.tmp C:\windows\system32\vrnewapv.dll C:\windows\system32\vtsqo.dll C:\windows\system32\vtsqp.dll C:\windows\system32\vtsqq.dll C:\windows\system32\vtsqr.dll C:\windows\system32\vtstq.dll C:\windows\system32\vtstr.dll C:\windows\system32\vtstu.dll C:\windows\system32\vturp.dll C:\windows\system32\vturr.dll C:\windows\system32\vtutq.dll C:\windows\system32\vtutr.dll C:\windows\system32\vtuts.dll C:\windows\system32\vtutt.dll C:\windows\system32\vtutu.dll C:\windows\system32\wguxuvki.dll C:\windows\system32\wkquqxom.dll C:\windows\system32\wlblhxqs.dll C:\windows\system32\xkblcpfq.ini C:\windows\system32\xrwoxkss.dll C:\WINDOWS\system32\xyvvgvht.dll C:\windows\system32\ygpoexmk.dll C:\windows\system32\yhhqadds.dll C:\windows\system32\yhyxqevy.ini C:\windows\system32\ymxxlgjs.dll C:\windows\system32\yrkxbhjb.dll C:\windows\system32\yveqxyhy.dll C:\windows\system32\yvjjhtba.dll Beginning removal... Attempting to delete C:\windows\system32\acbeg.tmp C:\windows\system32\acbeg.tmp Has been deleted! Attempting to delete C:\windows\system32\ahaeirld.dll C:\windows\system32\ahaeirld.dll Has been deleted! Attempting to delete C:\windows\system32\aiodmqxw.dll C:\windows\system32\aiodmqxw.dll Has been deleted! Attempting to delete C:\windows\system32\awtqn.dll C:\windows\system32\awtqn.dll Has been deleted! Attempting to delete C:\windows\system32\awtqo.dll C:\windows\system32\awtqo.dll Has been deleted! Attempting to delete C:\windows\system32\awtqp.dll C:\windows\system32\awtqp.dll Has been deleted! Attempting to delete C:\windows\system32\awtsp.dll C:\windows\system32\awtsp.dll Has been deleted! Attempting to delete C:\windows\system32\awtsq.dll C:\windows\system32\awtsq.dll Has been deleted! Attempting to delete C:\windows\system32\awtsr.dll C:\windows\system32\awtsr.dll Has been deleted! Attempting to delete C:\windows\system32\awtss.dll C:\windows\system32\awtss.dll Has been deleted! Attempting to delete C:\windows\system32\awvtr.dll C:\windows\system32\awvtr.dll Has been deleted! Attempting to delete C:\windows\system32\awvtt.dll C:\windows\system32\awvtt.dll Has been deleted! Attempting to delete C:\windows\system32\awvtu.dll C:\windows\system32\awvtu.dll Has been deleted! Attempting to delete C:\windows\system32\awvvt.dll C:\windows\system32\awvvt.dll Has been deleted! Attempting to delete C:\windows\system32\awvvu.dll C:\windows\system32\awvvu.dll Has been deleted! Attempting to delete C:\windows\system32\awvvv.dll C:\windows\system32\awvvv.dll Has been deleted! Attempting to delete C:\windows\system32\awvvw.dll C:\windows\system32\awvvw.dll Has been deleted! Attempting to delete C:\windows\system32\bdjwoxlc.ini C:\windows\system32\bdjwoxlc.ini Has been deleted! Attempting to delete C:\windows\system32\bjhbxkry.ini C:\windows\system32\bjhbxkry.ini Has been deleted! Attempting to delete C:\windows\system32\btpcgkju.dll C:\windows\system32\btpcgkju.dll Has been deleted! Attempting to delete C:\windows\system32\chfnesnu.dll C:\windows\system32\chfnesnu.dll Has been deleted! Attempting to delete C:\windows\system32\clxowjdb.dll C:\windows\system32\clxowjdb.dll Has been deleted! Attempting to delete C:\windows\system32\ctwgdjal.dll C:\windows\system32\ctwgdjal.dll Has been deleted! Attempting to delete C:\windows\system32\cwjfgfbq.ini C:\windows\system32\cwjfgfbq.ini Has been deleted! Attempting to delete C:\windows\system32\dblkfkjp.dll C:\windows\system32\dblkfkjp.dll Has been deleted! Attempting to delete C:\windows\system32\ddabb.dll C:\windows\system32\ddabb.dll Has been deleted! Attempting to delete C:\windows\system32\ddaby.dll C:\windows\system32\ddaby.dll Has been deleted! Attempting to delete C:\windows\system32\ddayv.dll C:\windows\system32\ddayv.dll Has been deleted! Attempting to delete C:\windows\system32\ddayw.dll C:\windows\system32\ddayw.dll Has been deleted! Attempting to delete C:\windows\system32\ddayx.dll C:\windows\system32\ddayx.dll Has been deleted! Attempting to delete C:\windows\system32\ddayy.dll C:\windows\system32\ddayy.dll Has been deleted! Attempting to delete C:\windows\system32\ddcca.dll C:\windows\system32\ddcca.dll Has been deleted! Attempting to delete C:\windows\system32\ddccb.dll C:\windows\system32\ddccb.dll Has been deleted! Attempting to delete C:\windows\system32\ddccc.dll C:\windows\system32\ddccc.dll Has been deleted! Attempting to delete C:\windows\system32\ddccd.dll C:\windows\system32\ddccd.dll Has been deleted! Attempting to delete C:\windows\system32\ddcya.dll C:\windows\system32\ddcya.dll Has been deleted! Attempting to delete C:\windows\system32\ddcyv.dll C:\windows\system32\ddcyv.dll Has been deleted! Attempting to delete C:\windows\system32\ddcyw.dll C:\windows\system32\ddcyw.dll Has been deleted! Attempting to delete C:\windows\system32\ddcyx.dll C:\windows\system32\ddcyx.dll Has been deleted! Attempting to delete C:\windows\system32\ddcyy.dll C:\windows\system32\ddcyy.dll Has been deleted! Attempting to delete C:\windows\system32\dlrieaha.ini C:\windows\system32\dlrieaha.ini Has been deleted! Attempting to delete C:\windows\system32\dwvixdcv.dll C:\windows\system32\dwvixdcv.dll Has been deleted! Attempting to delete C:\windows\system32\dytmnkgp.ini C:\windows\system32\dytmnkgp.ini Has been deleted! Attempting to delete C:\windows\system32\dytmnkgp.tmp C:\windows\system32\dytmnkgp.tmp Has been deleted! Attempting to delete C:\windows\system32\ehkmp.ini C:\windows\system32\ehkmp.ini Has been deleted! Attempting to delete C:\windows\system32\gcqvugpq.ini C:\windows\system32\gcqvugpq.ini Has been deleted! Attempting to delete C:\windows\system32\gebca.dll C:\windows\system32\gebca.dll Has been deleted! Attempting to delete C:\windows\system32\gebcb.dll C:\windows\system32\gebcb.dll Has been deleted! Attempting to delete C:\windows\system32\gebcd.dll C:\windows\system32\gebcd.dll Has been deleted! Attempting to delete C:\windows\system32\gebcy.dll C:\windows\system32\gebcy.dll Has been deleted! Attempting to delete C:\windows\system32\gebya.dll C:\windows\system32\gebya.dll Has been deleted! Attempting to delete C:\windows\system32\gebyw.dll C:\windows\system32\gebyw.dll Has been deleted! Attempting to delete C:\windows\system32\gebyx.dll C:\windows\system32\gebyx.dll Has been deleted! Attempting to delete C:\windows\system32\geeba.dll C:\windows\system32\geeba.dll Has been deleted! Attempting to delete C:\windows\system32\geebb.dll C:\windows\system32\geebb.dll Has been deleted! Attempting to delete C:\windows\system32\geebc.dll C:\windows\system32\geebc.dll Has been deleted! Attempting to delete C:\windows\system32\geeby.dll C:\windows\system32\geeby.dll Has been deleted! Attempting to delete C:\windows\system32\geeda.dll C:\windows\system32\geeda.dll Has been deleted! Attempting to delete C:\windows\system32\geedb.dll C:\windows\system32\geedb.dll Has been deleted! Attempting to delete C:\windows\system32\geedc.dll C:\windows\system32\geedc.dll Has been deleted! Attempting to delete C:\windows\system32\geede.dll C:\windows\system32\geede.dll Has been deleted! Attempting to delete C:\windows\system32\gmfffrjv.dll C:\windows\system32\gmfffrjv.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\gntdoype.dll C:\WINDOWS\system32\gntdoype.dll Has been deleted! Attempting to delete C:\windows\system32\hiydnyet.dll C:\windows\system32\hiydnyet.dll Has been deleted! Attempting to delete C:\windows\system32\hwhsrran.ini C:\windows\system32\hwhsrran.ini Has been deleted! Attempting to delete C:\windows\system32\iuxavtfs.ini C:\windows\system32\iuxavtfs.ini Has been deleted! Attempting to delete C:\windows\system32\ixskhpaj.dll C:\windows\system32\ixskhpaj.dll Has been deleted! Attempting to delete C:\windows\system32\japhksxi.ini C:\windows\system32\japhksxi.ini Has been deleted! Attempting to delete C:\windows\system32\jkhfd.dll C:\windows\system32\jkhfd.dll Has been deleted! Attempting to delete C:\windows\system32\jkhfe.dll C:\windows\system32\jkhfe.dll Has been deleted! Attempting to delete C:\windows\system32\jkhff.dll C:\windows\system32\jkhff.dll Has been deleted! Attempting to delete C:\windows\system32\jkhhe.dll C:\windows\system32\jkhhe.dll Has been deleted! Attempting to delete C:\windows\system32\jkhhf.dll C:\windows\system32\jkhhf.dll Has been deleted! Attempting to delete C:\windows\system32\jkhhh.dll C:\windows\system32\jkhhh.dll Has been deleted! Attempting to delete C:\windows\system32\jkhhi.dll C:\windows\system32\jkhhi.dll Has been deleted! Attempting to delete C:\windows\system32\jkkjg.dll C:\windows\system32\jkkjg.dll Has been deleted! Attempting to delete C:\windows\system32\jkkjh.dll C:\windows\system32\jkkjh.dll Has been deleted! Attempting to delete C:\windows\system32\jkkji.dll C:\windows\system32\jkkji.dll Has been deleted! Attempting to delete C:\windows\system32\jkkli.dll C:\windows\system32\jkkli.dll Has been deleted! Attempting to delete C:\windows\system32\jkklj.dll C:\windows\system32\jkklj.dll Has been deleted! Attempting to delete C:\windows\system32\jkklk.dll C:\windows\system32\jkklk.dll Has been deleted! Attempting to delete C:\windows\system32\jkkll.dll C:\windows\system32\jkkll.dll Has been deleted! Attempting to delete C:\windows\system32\jtsyetpm.ini C:\windows\system32\jtsyetpm.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\kkbuuxxg.dll C:\WINDOWS\system32\kkbuuxxg.dll Has been deleted! Attempting to delete C:\windows\system32\kmxeopgy.ini C:\windows\system32\kmxeopgy.ini Has been deleted! Attempting to delete C:\windows\system32\kxqcneun.ini C:\windows\system32\kxqcneun.ini Has been deleted! Attempting to delete C:\windows\system32\lajdgwtc.ini C:\windows\system32\lajdgwtc.ini Has been deleted! Attempting to delete C:\windows\system32\lctugmcb.dll C:\windows\system32\lctugmcb.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ljjkheb.dll C:\WINDOWS\system32\ljjkheb.dll Could not be deleted. Attempting to delete C:\windows\system32\llkkj.bak1 C:\windows\system32\llkkj.bak1 Has been deleted! Attempting to delete C:\windows\system32\llkkj.ini C:\windows\system32\llkkj.ini Has been deleted! Attempting to delete C:\windows\system32\mljgd.dll C:\windows\system32\mljgd.dll Has been deleted! Attempting to delete C:\windows\system32\mljgf.dll C:\windows\system32\mljgf.dll Has been deleted! Attempting to delete C:\windows\system32\mljgg.dll C:\windows\system32\mljgg.dll Has been deleted! Attempting to delete C:\windows\system32\mljgh.dll C:\windows\system32\mljgh.dll Has been deleted! Attempting to delete C:\windows\system32\mljjh.dll C:\windows\system32\mljjh.dll Has been deleted! Attempting to delete C:\windows\system32\mljji.dll C:\windows\system32\mljji.dll Has been deleted! Attempting to delete C:\windows\system32\mljjj.dll C:\windows\system32\mljjj.dll Has been deleted! Attempting to delete C:\windows\system32\mljjk.dll C:\windows\system32\mljjk.dll Has been deleted! Attempting to delete C:\windows\system32\mlljh.dll C:\windows\system32\mlljh.dll Has been deleted! Attempting to delete C:\windows\system32\mllji.dll C:\windows\system32\mllji.dll Has been deleted! Attempting to delete C:\windows\system32\mlljj.dll C:\windows\system32\mlljj.dll Has been deleted! Attempting to delete C:\windows\system32\mlljk.dll C:\windows\system32\mlljk.dll Has been deleted! Attempting to delete C:\windows\system32\mllmj.dll C:\windows\system32\mllmj.dll Has been deleted! Attempting to delete C:\windows\system32\mllmk.dll C:\windows\system32\mllmk.dll Has been deleted! Attempting to delete C:\windows\system32\mllml.dll C:\windows\system32\mllml.dll Has been deleted! Attempting to delete C:\windows\system32\mllmm.dll C:\windows\system32\mllmm.dll Has been deleted! Attempting to delete C:\windows\system32\moxquqkw.ini C:\windows\system32\moxquqkw.ini Has been deleted! Attempting to delete C:\windows\system32\mpteystj.dll C:\windows\system32\mpteystj.dll Has been deleted! Attempting to delete C:\windows\system32\narrshwh.dll C:\windows\system32\narrshwh.dll Has been deleted! Attempting to delete C:\windows\system32\ncnsvent.dll C:\windows\system32\ncnsvent.dll Has been deleted! Attempting to delete C:\windows\system32\neglfego.ini C:\windows\system32\neglfego.ini Has been deleted! Attempting to delete C:\windows\system32\nfdxskis.dll C:\windows\system32\nfdxskis.dll Has been deleted! Attempting to delete C:\windows\system32\njoaaqbc.dll C:\windows\system32\njoaaqbc.dll Has been deleted! Attempting to delete C:\windows\system32\nnsqqmqc.dll C:\windows\system32\nnsqqmqc.dll Could not be deleted. Attempting to delete C:\windows\system32\nuencqxk.dll C:\windows\system32\nuencqxk.dll Has been deleted! Attempting to delete C:\windows\system32\ogeflgen.dll C:\windows\system32\ogeflgen.dll Has been deleted! Attempting to delete C:\windows\system32\oixsfjbm.dll C:\windows\system32\oixsfjbm.dll Has been deleted! Attempting to delete C:\windows\system32\pgknmtyd.dll C:\windows\system32\pgknmtyd.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\pgovcggr.dll C:\WINDOWS\system32\pgovcggr.dll Has been deleted! Attempting to delete C:\windows\system32\pmkhe.dll C:\windows\system32\pmkhe.dll Has been deleted! Attempting to delete C:\windows\system32\pmkhf.dll C:\windows\system32\pmkhf.dll Has been deleted! Attempting to delete C:\windows\system32\pmkhh.dll C:\windows\system32\pmkhh.dll Has been deleted! Attempting to delete C:\windows\system32\pmkhi.dll C:\windows\system32\pmkhi.dll Has been deleted! Attempting to delete C:\windows\system32\pmkjg.dll C:\windows\system32\pmkjg.dll Has been deleted! Attempting to delete C:\windows\system32\pmkjh.dll C:\windows\system32\pmkjh.dll Has been deleted! Attempting to delete C:\windows\system32\pmkji.dll C:\windows\system32\pmkji.dll Has been deleted! Attempting to delete C:\windows\system32\pmkjk.dll C:\windows\system32\pmkjk.dll Has been deleted! Attempting to delete C:\windows\system32\pmnli.dll C:\windows\system32\pmnli.dll Has been deleted! Attempting to delete C:\windows\system32\pmnlj.dll C:\windows\system32\pmnlj.dll Has been deleted! Attempting to delete C:\windows\system32\pmnll.dll C:\windows\system32\pmnll.dll Has been deleted! Attempting to delete C:\windows\system32\pmnlm.dll C:\windows\system32\pmnlm.dll Has been deleted! Attempting to delete C:\windows\system32\pmnnk.dll C:\windows\system32\pmnnk.dll Has been deleted! Attempting to delete C:\windows\system32\pmnnl.dll C:\windows\system32\pmnnl.dll Has been deleted! Attempting to delete C:\windows\system32\pmnnm.dll C:\windows\system32\pmnnm.dll Has been deleted! Attempting to delete C:\windows\system32\pmnnn.dll C:\windows\system32\pmnnn.dll Has been deleted! Attempting to delete C:\windows\system32\pmnno.dll C:\windows\system32\pmnno.dll Has been deleted! Attempting to delete C:\windows\system32\qbfgfjwc.dll C:\windows\system32\qbfgfjwc.dll Has been deleted! Attempting to delete C:\windows\system32\qfpclbkx.dll C:\windows\system32\qfpclbkx.dll Has been deleted! Attempting to delete C:\windows\system32\qonwjqyb.dll C:\windows\system32\qonwjqyb.dll Has been deleted! Attempting to delete C:\windows\system32\qpguvqcg.dll C:\windows\system32\qpguvqcg.dll Has been deleted! Attempting to delete C:\windows\system32\rmwjxmsr.ini C:\windows\system32\rmwjxmsr.ini Has been deleted! Attempting to delete C:\windows\system32\rrqss.bak1 C:\windows\system32\rrqss.bak1 Has been deleted! Attempting to delete C:\windows\system32\rrqss.bak2 C:\windows\system32\rrqss.bak2 Has been deleted! Attempting to delete C:\windows\system32\rrqss.ini C:\windows\system32\rrqss.ini Has been deleted! Attempting to delete C:\windows\system32\rrqss.ini2 C:\windows\system32\rrqss.ini2 Has been deleted! Attempting to delete C:\windows\system32\rrqss.tmp C:\windows\system32\rrqss.tmp Has been deleted! Attempting to delete C:\windows\system32\rsmxjwmr.dll C:\windows\system32\rsmxjwmr.dll Has been deleted! Attempting to delete C:\windows\system32\rynllyev.ini C:\windows\system32\rynllyev.ini Has been deleted! Attempting to delete C:\windows\system32\sddaqhhy.ini C:\windows\system32\sddaqhhy.ini Has been deleted! Attempting to delete C:\windows\system32\sftvaxui.dll C:\windows\system32\sftvaxui.dll Has been deleted! Attempting to delete C:\windows\system32\siksxdfn.ini C:\windows\system32\siksxdfn.ini Has been deleted! Attempting to delete C:\windows\system32\sjglxxmy.ini C:\windows\system32\sjglxxmy.ini Has been deleted! Attempting to delete C:\windows\system32\sqxhlblw.ini C:\windows\system32\sqxhlblw.ini Has been deleted! Attempting to delete C:\windows\system32\sskxowrx.ini C:\windows\system32\sskxowrx.ini Has been deleted! Attempting to delete C:\windows\system32\ssqpm.dll C:\windows\system32\ssqpm.dll Has been deleted! Attempting to delete C:\windows\system32\ssqpo.dll C:\windows\system32\ssqpo.dll Has been deleted! Attempting to delete C:\windows\system32\ssqpp.dll C:\windows\system32\ssqpp.dll Has been deleted! Attempting to delete C:\windows\system32\ssqpq.dll C:\windows\system32\ssqpq.dll Has been deleted! Attempting to delete C:\windows\system32\ssqrq.dll C:\windows\system32\ssqrq.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ssqrr.dll C:\WINDOWS\system32\ssqrr.dll Could not be deleted. Attempting to delete C:\windows\system32\sstqo.dll C:\windows\system32\sstqo.dll Has been deleted! Attempting to delete C:\windows\system32\sstqp.dll C:\windows\system32\sstqp.dll Has been deleted! Attempting to delete C:\windows\system32\sstqq.dll C:\windows\system32\sstqq.dll Has been deleted! Attempting to delete C:\windows\system32\sstqr.dll C:\windows\system32\sstqr.dll Has been deleted! Attempting to delete C:\windows\system32\ssttq.dll C:\windows\system32\ssttq.dll Has been deleted! Attempting to delete C:\windows\system32\ssttr.dll C:\windows\system32\ssttr.dll Has been deleted! Attempting to delete C:\windows\system32\sstts.dll C:\windows\system32\sstts.dll Has been deleted! Attempting to delete C:\windows\system32\ssttt.dll C:\windows\system32\ssttt.dll Has been deleted! Attempting to delete C:\windows\system32\ssttu.dll C:\windows\system32\ssttu.dll Has been deleted! Attempting to delete C:\windows\system32\sstwa.tmp C:\windows\system32\sstwa.tmp Has been deleted! Attempting to delete C:\windows\system32\stutv.bak1 C:\windows\system32\stutv.bak1 Has been deleted! Attempting to delete C:\windows\system32\stutv.ini2 C:\windows\system32\stutv.ini2 Has been deleted! Attempting to delete C:\windows\system32\stutv.tmp C:\windows\system32\stutv.tmp Has been deleted! Attempting to delete C:\windows\system32\tapdtmfv.dll C:\windows\system32\tapdtmfv.dll Has been deleted! Attempting to delete C:\windows\system32\teyndyih.ini C:\windows\system32\teyndyih.ini Has been deleted! Attempting to delete C:\windows\system32\thvgvvyx.ini C:\windows\system32\thvgvvyx.ini Has been deleted! Attempting to delete C:\windows\system32\tnevsncn.ini C:\windows\system32\tnevsncn.ini Has been deleted! Attempting to delete C:\windows\system32\tnkpjxlg.dll C:\windows\system32\tnkpjxlg.dll Has been deleted! Attempting to delete C:\windows\system32\ugoiguou.dll C:\windows\system32\ugoiguou.dll Has been deleted! Attempting to delete C:\windows\system32\ujkgcptb.ini C:\windows\system32\ujkgcptb.ini Has been deleted! Attempting to delete C:\windows\system32\uougiogu.ini C:\windows\system32\uougiogu.ini Has been deleted! Attempting to delete C:\windows\system32\utvwa.bak1 C:\windows\system32\utvwa.bak1 Has been deleted! Attempting to delete C:\windows\system32\utvwa.ini C:\windows\system32\utvwa.ini Has been deleted! Attempting to delete C:\windows\system32\vcdxivwd.ini C:\windows\system32\vcdxivwd.ini Has been deleted! Attempting to delete C:\windows\system32\veyllnyr.dll C:\windows\system32\veyllnyr.dll Has been deleted! Attempting to delete C:\windows\system32\vfmtdpat.ini C:\windows\system32\vfmtdpat.ini Has been deleted! Attempting to delete C:\windows\system32\vjrfffmg.ini C:\windows\system32\vjrfffmg.ini Has been deleted! Attempting to delete C:\windows\system32\vpawenrv.tmp C:\windows\system32\vpawenrv.tmp Has been deleted! Attempting to delete C:\windows\system32\vrnewapv.dll C:\windows\system32\vrnewapv.dll Has been deleted! Attempting to delete C:\windows\system32\vtsqo.dll C:\windows\system32\vtsqo.dll Has been deleted! Attempting to delete C:\windows\system32\vtsqp.dll C:\windows\system32\vtsqp.dll Has been deleted! Attempting to delete C:\windows\system32\vtsqq.dll C:\windows\system32\vtsqq.dll Has been deleted! Attempting to delete C:\windows\system32\vtsqr.dll C:\windows\system32\vtsqr.dll Has been deleted! Attempting to delete C:\windows\system32\vtstq.dll C:\windows\system32\vtstq.dll Has been deleted! Attempting to delete C:\windows\system32\vtstr.dll C:\windows\system32\vtstr.dll Has been deleted! Attempting to delete C:\windows\system32\vtstu.dll C:\windows\system32\vtstu.dll Has been deleted! Attempting to delete C:\windows\system32\vturp.dll C:\windows\system32\vturp.dll Has been deleted! Attempting to delete C:\windows\system32\vturr.dll C:\windows\system32\vturr.dll Has been deleted! Attempting to delete C:\windows\system32\vtutq.dll C:\windows\system32\vtutq.dll Has been deleted! Attempting to delete C:\windows\system32\vtutr.dll C:\windows\system32\vtutr.dll Has been deleted! Attempting to delete C:\windows\system32\vtuts.dll C:\windows\system32\vtuts.dll Has been deleted! Attempting to delete C:\windows\system32\vtutt.dll C:\windows\system32\vtutt.dll Has been deleted! Attempting to delete C:\windows\system32\vtutu.dll C:\windows\system32\vtutu.dll Has been deleted! Attempting to delete C:\windows\system32\wguxuvki.dll C:\windows\system32\wguxuvki.dll Has been deleted! Attempting to delete C:\windows\system32\wkquqxom.dll C:\windows\system32\wkquqxom.dll Has been deleted! Attempting to delete C:\windows\system32\wlblhxqs.dll C:\windows\system32\wlblhxqs.dll Has been deleted! Attempting to delete C:\windows\system32\xkblcpfq.ini C:\windows\system32\xkblcpfq.ini Has been deleted! Attempting to delete C:\windows\system32\xrwoxkss.dll C:\windows\system32\xrwoxkss.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\xyvvgvht.dll C:\WINDOWS\system32\xyvvgvht.dll Could not be deleted. Attempting to delete C:\windows\system32\ygpoexmk.dll C:\windows\system32\ygpoexmk.dll Has been deleted! Attempting to delete C:\windows\system32\yhhqadds.dll C:\windows\system32\yhhqadds.dll Has been deleted! Attempting to delete C:\windows\system32\yhyxqevy.ini C:\windows\system32\yhyxqevy.ini Has been deleted! Attempting to delete C:\windows\system32\ymxxlgjs.dll C:\windows\system32\ymxxlgjs.dll Has been deleted! Attempting to delete C:\windows\system32\yrkxbhjb.dll C:\windows\system32\yrkxbhjb.dll Has been deleted! Attempting to delete C:\windows\system32\yveqxyhy.dll C:\windows\system32\yveqxyhy.dll Has been deleted! Attempting to delete C:\windows\system32\yvjjhtba.dll C:\windows\system32\yvjjhtba.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\ljjkheb.dll C:\WINDOWS\system32\ljjkheb.dll Could not be deleted. Attempting to delete C:\windows\system32\nnsqqmqc.dll C:\windows\system32\nnsqqmqc.dll Has been deleted! Attempting to delete C:\windows\system32\rrqss.ini C:\windows\system32\rrqss.ini Has been deleted! Attempting to delete C:\windows\system32\rrqss.ini2 C:\windows\system32\rrqss.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ssqrr.dll C:\WINDOWS\system32\ssqrr.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\xyvvgvht.dll C:\WINDOWS\system32\xyvvgvht.dll Has been deleted! Performing Repairs to the registry. Done!
Thank you! :]
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Jamlpr, please delete C:\vundofix.txt and run vundofix again!! until all files have been deleted. It may take a couple more passes. When all files that it detects have been deleted then you are finished with vundofix.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
In the meantime fix these two with hijackthis, we'll get to all the others later.
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
Post vundofix, smitfraud log and a fresh hijackthis scan log also.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
In the meantime fix these two with hijackthis, we'll get to all the others later.
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
Post vundofix, smitfraud log and a fresh hijackthis scan log also.
Last edited by gerbil; Sep 25th, 2007 at 12:46 am.
Deep, deep in the woods, but walking about.
The trojan is well infiltrated looking at your HJT log. If the Vundofix & Smitfraudfix passes don't solve it, go to my post on 24-Aug and do it the other way round - from a separate PC operating on your affected hard disk in a USB enclosure.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
HJT:
Vundo:
Smit:
I couldn't get those two .dlls to go away for the life of me.
Thanks again for the help guys.
I get off at 10 tonight.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:55:51 AM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\apache2triad\bin\apache.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A4D98A-864E-4BA2-998D-9C58EE7556C2} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {31657B86-01E9-43C8-A0C5-F02BE201455c} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\ljjkheb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {9E7FA759-B446-4E57-AF42-A97A948B6CB3} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {9F0AD5E8-002F-4666-8F74-B5457C89FDD0} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {A8CE4D48-E68D-4FE4-89FE-300731C77148} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {B064D7DD-F68F-4D03-9C37-C86C2D72D4B7} - C:\WINDOWS\system32\nnsqqmqc.dll (file missing)
O2 - BHO: (no name) - {C3415EC8-E19C-4147-A819-604490CEF483} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {E5D48306-2B38-4D8C-B74C-8C4F420E02F2} - C:\WINDOWS\system32\henclvoc.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\gewhpgsa.dll",sitypnow
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Taylor\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163462521328
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Apache2Triad MySql Service (mysql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
--
End of file - 9173 bytesVundo:
VundoFix V6.5.9 Checking Java version... Java version is 1.5.0.2 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 9:20:29 PM 9/25/2007 Listing files found while scanning.... C:\windows\system32\ljjkheb.dll C:\WINDOWS\system32\rrqss.ini C:\WINDOWS\system32\ssqrr.dll Beginning removal... Attempting to delete C:\windows\system32\ljjkheb.dll C:\windows\system32\ljjkheb.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rrqss.ini C:\WINDOWS\system32\rrqss.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ssqrr.dll C:\WINDOWS\system32\ssqrr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\ljjkheb.dll C:\windows\system32\ljjkheb.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\rrqss.ini C:\WINDOWS\system32\rrqss.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ssqrr.dll C:\WINDOWS\system32\ssqrr.dll Could not be deleted. Performing Repairs to the registry. Done!
Smit:
SmitFraudFix v2.229
Scan done at 19:46:57.56, Tue 09/25/2007
Run from C:\Documents and Settings\Taylor\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\apache2triad\bin\apache.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Taylor
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Taylor\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Taylor\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Video ActiveX Object\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys Wireless-G PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.10.10
DNS Server Search Order: 24.165.200.40
DNS Server Search Order: 24.165.200.35
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DA87762A-AC5D-4BC2-B820-14450E34CD82}: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.10 24.165.200.40 24.165.200.35
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» EndI couldn't get those two .dlls to go away for the life of me.
Thanks again for the help guys.
I get off at 10 tonight.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Cool. Now run the clean option with smitfraudfix:-
- Check that a Restore point has been made.
- Restart your computer in Safe Mode.
- Start Smitfraudfix as before and select #2 - Clean [type 2 and Enter].
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Restart in normal Windows and post here the text file which will appear on your screen, along with a new HT log.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file].
Let's force the issue with those undeletable files. This is to check for any hidden support files:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Now vundofix again, but modify the run a bit this time [please delete C:\vundofix.txt first]:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:
C:\windows\system32\ljjkheb.dll
C:\WINDOWS\system32\behkjjl.*
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\rrqss.*
Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
- Check that a Restore point has been made.
- Restart your computer in Safe Mode.
- Start Smitfraudfix as before and select #2 - Clean [type 2 and Enter].
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Restart in normal Windows and post here the text file which will appear on your screen, along with a new HT log.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file].
Let's force the issue with those undeletable files. This is to check for any hidden support files:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Now vundofix again, but modify the run a bit this time [please delete C:\vundofix.txt first]:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:
C:\windows\system32\ljjkheb.dll
C:\WINDOWS\system32\behkjjl.*
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\rrqss.*
Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
Last edited by gerbil; Sep 26th, 2007 at 10:08 am.
Deep, deep in the woods, but walking about.
 |
Similar Threads
- trojans...now nothing opens and I get a paint can't open error (Viruses, Spyware and other Nasties)
- Programs Won't Start? .EXE, .ZIP, .RAR (Windows NT / 2000 / XP)
- MPTFT.EXE problem (Viruses, Spyware and other Nasties)
- wtta.exe ? (Viruses, Spyware and other Nasties)
- trying to open 'exe' file on G5 (OS X)
- All .exe files need another program to open them??!! (Windows 95 / 98 / Me)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: O_O It's a "Notification Tray" issue! (concerning spyware)
- Next Thread: Iexplore.exe and csrss problem
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gtaiv gumblar halloween herss.exe hijack hosting internet iphone logfiles mail malware mcafee mega-d microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting reliability report research rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
