Hi!
I'm Neeraj & my computer also was infected but now it's free from viruses. I don't have that Hijackthis. I've run Vundofix. exe & combofix.exe. But I think after executing combofix.exe some files are missing and that's why some application is not running. Even I downloaded Java 6 but that's become some dos application icon is like dos programm and when I run that, it says that Programm is too big to fit in memory.
Here is the log file.
1. VundoFix
VundoFix V7.0.3
Scan started at 11:32:12 AM 07/05/2008
Listing files found while scanning....
C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\kjajntod.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dotnjajk.dll
C:\WINDOWS\system32\dotnjajk.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\efcrcwxw.dll
C:\WINDOWS\system32\efcrcwxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kjajntod.ini
C:\WINDOWS\system32\kjajntod.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V7.0.3
Scan started at 11:55:32 AM 07/05/2008
Listing files found while scanning....
No infected files were found.
2. ComboFix
ComboFix 08-05-01.3 - Administrator 2008-05-07 12:46:32.1 - NTFSx86
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\buqalktd.dll
C:\WINDOWS\system32\jwihvobv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OoYGNqss.ini
C:\WINDOWS\system32\OoYGNqss.ini2
C:\WINDOWS\system32\oswpiksn.ini
C:\WINDOWS\system32\ssqNGYoO.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 12:33 . 2008-05-07 12:33 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-05-07 11:32 . 2008-05-07 11:54 <DIR> d----c--- C:\VundoFix Backups
2008-05-07 08:52 . 2008-05-07 08:52 2,112 --a--c--- C:\WINDOWS\system32\qogntmcy.exe
2008-05-06 10:38 . 2008-05-07 00:10 <DIR> d----c--- C:\Program Files\Norton AntiVirus
2008-05-06 10:38 . 2008-05-06 10:38 4,608 --a--c--- C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-05-06 10:37 . 2008-05-06 10:54 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-06 10:37 . 2006-09-15 22:52 124,016 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-06 10:37 . 2006-09-15 22:52 91,904 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-06 10:36 . 2008-05-06 18:59 <DIR> d----c--- C:\Program Files\Symantec
2008-05-06 10:36 . 2008-05-07 09:58 <DIR> d----c--- C:\Program Files\Common Files\Symantec Shared
2008-05-06 10:35 . 2008-05-06 10:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 11:06 . 2005-08-06 16:12 519,944 --a--c--- C:\WINDOWS\LegitCheckControl.dll
2008-05-05 11:06 . 2006-05-13 14:18 435,464 --a--c--- C:\WINDOWS\legitlib.dll
2008-05-05 09:56 . 2008-05-05 10:04 <DIR> d----c--- C:\WINDOWS\SxsCaPendDel
2008-05-05 09:12 . 2008-05-05 09:12 51,355 --a--c--- C:\WINDOWS\system32\muzika.xm
2008-05-04 20:15 . 2005-06-21 16:43 163,840 --a--c--- C:\WINDOWS\system32\igfxres.dll
2008-05-04 17:04 . 2008-05-05 06:51 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 10:50 . 2008-05-07 08:52 109,803 --a--c--- C:\WINDOWS\BM7358b998.xml
2008-05-02 13:41 . 2008-05-02 13:41 <DIR> d----c--- C:\ner
2008-05-01 20:12 . 2008-05-01 20:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-05-01 19:46 . 2008-05-01 19:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Teleca
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:11 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-05-04 14:11 --------- dc----w C:\Program Files\CyberLink
2008-05-04 03:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-04 03:06 --------- dc----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-28 01:20 --------- dc----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-27 16:35 50,944 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-04 07:50 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-30 04:18 87,608 -c--a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-30 04:18 47,360 -c--a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.
------- Sigcheck -------
2004-08-04 06:44 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 06:44 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 12:03 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PCMService"="D:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2007-03-02 17:55 159744]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 01:47 58488]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-08-03 13:56 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRun"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= D:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvUoM]
xxyyvUoM.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\FlashGet\\flashget.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"D:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a9514c-cbd8-11dc-9cb4-b166290c1652}]
\Shell\Autoplay\Command - J:\smss.exe
\Shell\AutoRun\command - J:\smss.exe
\Shell\Explore\Command - J:\smss.exe
\Shell\Open\Command - J:\smss.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982cfd00-8444-11dc-b4da-86056f13b026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a750cf0-9c19-11dc-b4e0-cef0eb2f6d51}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 05:29:41 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:57:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-07 13:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 07:39:57
Pre-Run: 5,053,763,584 bytes free
Post-Run: 5,010,583,552 bytes free
162
Please help me. Should I repair the Window XP.
Hello kingt36 ! Welcome to The Forums.
My name is Rahina Rescue and I will be handling your log to help you get cleaned up.
We'll Begin.
Step #1
Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Step #2
Download the latest version of Java Runtime Environment (JRE) 6
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.Step #3
Please download Combofix to your desktop.
- Double click on Combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
In your next reply please post:
- VundoFix.txt
- Combofix.txt
- Hijackthis Logfile