0

Hi!
I'm Neeraj & my computer also was infected but now it's free from viruses. I don't have that Hijackthis. I've run Vundofix. exe & combofix.exe. But I think after executing combofix.exe some files are missing and that's why some application is not running. Even I downloaded Java 6 but that's become some dos application icon is like dos programm and when I run that, it says that Programm is too big to fit in memory.

Here is the log file.

1. VundoFix

VundoFix V7.0.3

Scan started at 11:32:12 AM 07/05/2008

Listing files found while scanning....

C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\kjajntod.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\dotnjajk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\efcrcwxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjajntod.ini
C:\WINDOWS\system32\kjajntod.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V7.0.3

Scan started at 11:55:32 AM 07/05/2008

Listing files found while scanning....

No infected files were found.

2. ComboFix

ComboFix 08-05-01.3 - Administrator 2008-05-07 12:46:32.1 - NTFSx86
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\buqalktd.dll
C:\WINDOWS\system32\jwihvobv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OoYGNqss.ini
C:\WINDOWS\system32\OoYGNqss.ini2
C:\WINDOWS\system32\oswpiksn.ini
C:\WINDOWS\system32\ssqNGYoO.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-07 12:33 . 2008-05-07 12:33 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-05-07 11:32 . 2008-05-07 11:54 <DIR> d----c--- C:\VundoFix Backups
2008-05-07 08:52 . 2008-05-07 08:52 2,112 --a--c--- C:\WINDOWS\system32\qogntmcy.exe
2008-05-06 10:38 . 2008-05-07 00:10 <DIR> d----c--- C:\Program Files\Norton AntiVirus
2008-05-06 10:38 . 2008-05-06 10:38 4,608 --a--c--- C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-05-06 10:37 . 2008-05-06 10:54 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-06 10:37 . 2006-09-15 22:52 124,016 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-06 10:37 . 2006-09-15 22:52 91,904 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-06 10:36 . 2008-05-06 18:59 <DIR> d----c--- C:\Program Files\Symantec
2008-05-06 10:36 . 2008-05-07 09:58 <DIR> d----c--- C:\Program Files\Common Files\Symantec Shared
2008-05-06 10:35 . 2008-05-06 10:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 11:06 . 2005-08-06 16:12 519,944 --a--c--- C:\WINDOWS\LegitCheckControl.dll
2008-05-05 11:06 . 2006-05-13 14:18 435,464 --a--c--- C:\WINDOWS\legitlib.dll
2008-05-05 09:56 . 2008-05-05 10:04 <DIR> d----c--- C:\WINDOWS\SxsCaPendDel
2008-05-05 09:12 . 2008-05-05 09:12 51,355 --a--c--- C:\WINDOWS\system32\muzika.xm
2008-05-04 20:15 . 2005-06-21 16:43 163,840 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-05-04 17:04 . 2008-05-05 06:51 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 10:50 . 2008-05-07 08:52 109,803 --a--c--- C:\WINDOWS\BM7358b998.xml
2008-05-02 13:41 . 2008-05-02 13:41 <DIR> d----c--- C:\ner
2008-05-01 20:12 . 2008-05-01 20:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-05-01 19:46 . 2008-05-01 19:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Teleca

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:11 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-04 14:11 --------- dc----w C:\Program Files\CyberLink
2008-05-04 03:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-04 03:06 --------- dc----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-28 01:20 --------- dc----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-27 16:35 50,944 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-04 07:50 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-30 04:18 87,608 -c--a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-30 04:18 47,360 -c--a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-04 06:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 06:44 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys

2007-08-03 12:03 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PCMService"="D:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2007-03-02 17:55 159744]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 01:47 58488]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-08-03 13:56 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRun"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= D:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvUoM]
xxyyvUoM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\FlashGet\\flashget.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a9514c-cbd8-11dc-9cb4-b166290c1652}]
\Shell\Autoplay\Command - J:\smss.exe
\Shell\AutoRun\command - J:\smss.exe
\Shell\Explore\Command - J:\smss.exe
\Shell\Open\Command - J:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982cfd00-8444-11dc-b4da-86056f13b026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a750cf0-9c19-11dc-b4e0-cef0eb2f6d51}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 05:29:41 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:57:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-07 13:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 07:39:57

Pre-Run: 5,053,763,584 bytes free
Post-Run: 5,010,583,552 bytes free

162


Please help me. Should I repair the Window XP.

Hello kingt36 ! Welcome to The Forums.

My name is Rahina Rescue and I will be handling your log to help you get cleaned up.

We'll Begin.

Step #1

Please download VundoFix.exe to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2

Download the latest version of Java Runtime Environment (JRE) 6

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Step #3

Please download Combofix to your desktop.

  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next reply please post:

  • VundoFix.txt
  • Combofix.txt
  • Hijackthis Logfile
2
Contributors
1
Reply
2
Views
9 Years
Discussion Span
Last Post by gerbil
0

Oh dear. You have a Vundo infection still plus the godzilla worm. And more.
=Have you been deliberately using the Microsoft Remote Assistance service?
=Turn on your firewall.
=See this bit in the Vundofix log?:
"Attempting to delete C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\dotnjajk.dll Could not be deleted." -it means what it says, so you need to re-run Vundofix until it DOES delete all that it finds.
=Combofix does not yet? recognise, and is not capable of deleting the Godzilla worm. So let's try this to clean up a little....
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
C:\WINDOWS\BM7358b998.xml
C:\Documents and Settings\Administrator\Application Data\inst.exe 
C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
C:\Windows\system32\xxyyvUoM.dll
J:\smss.exe
I:\smss.exe

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvUoM]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a9514c-cbd8-11dc-9cb4-b166290c1652}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982cfd00-8444-11dc-b4da-86056f13b026}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a750cf0-9c19-11dc-b4e0-cef0eb2f6d51}]

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeuse...s/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Post the log it produces here.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Your thumb drives will be infected by the worm - don't use them in other machines. In fact, delete their contents and reformat them.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.