Can't Remove Jkkkjgf.dll Associated With Pmnki.dll

Started by jimbo8500 , Jul 27 2007 11:23 PM

Next

This topic is locked

24 replies to this topic

#1 jimbo8500

Member

Members
28 posts

Posted 27 July 2007 - 11:23 PM

Somehow some malware got onto my machine from a webpage.

It put files called snapsnet.exe, wavesnet and xpre.exe in my user temp file which I removed.

I got rid of pmnki.dll with VundoFix.

It appeared to try to connect to 82.98.235.61, (Cyber Technology BV BA/SPRL) which I blocked with my firewall.

I have cleaned pmnki.dll and jkkkjgf.dll from my registry, but jkkkjgf.dll keeps being restored!

Stopping processes that it might be associated with hasn't helped ...

Does anyone have any ideas about how to get rid of jkkkjgf.dll?

Back to top

#2 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 28 July 2007 - 09:50 AM

Hello,

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#3 jimbo8500

Member

Members
28 posts

Posted 28 July 2007 - 12:39 PM

Here is the Hijackthis file. I have added space between the lines to hilite the file I'm talking about.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:57 PM, on 7/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\netstat.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Webbie\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf
O4 - Global Startup: Printkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AE25CC8-A709-4296-9B6C-CE6434051298}: NameServer = 207.69.188.172 207.69.188.171

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOW\System32\WLTRYSVC.EXE

--
End of file - 10787 bytes

Back to top

#4 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 28 July 2007 - 02:18 PM

Hi,

Do you know this program?

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

Please let me know as well.

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Btw, no need to highlight anything in your logs, I know what files should be deleted or not

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#5 jimbo8500

Member

Members
28 posts

Posted 28 July 2007 - 04:20 PM

First, thank you so much for responding. I an VERY grateful.

Printkey is a screen capture utility. You can print all or part of the screen or save it as a file. See:

http://www.geocities.com/~gigaman/

I will follow your instructions and report back later today.

If it helps, in the midst of trying to stop the installation of the malware, I got an error message from something called NSIS installer. I can't find such a program on my machine. I captured an image of the error box using printkey!

Thank you again.

~Jim~

--- you asked ---

Do you know this program?

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

Back to top

#6 jimbo8500

Member

Members
28 posts

Posted 28 July 2007 - 07:04 PM

I have run Combofix, and Hijackthis again.

The file jkkkjgf.dll is still there? What did Combofix quarantine?

Logs follow:
---------------------------------------------------------------------------------------------------
ComboFix 07-07-28 - "Froggy" 07/28/2007 13:19:40.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\DOWNLO~1.\Quarantine

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_IPRIP

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))

2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll
2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll
2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll
2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll
2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban
2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc
2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint
2007-07-27 08:39 --------- d-------- C:\Program Files\EarthLink 5.0
2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee
2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee
2007-06-08 18:41 --------- d-------- C:\Program Files\Celebpics #1
2007-06-08 18:41 --------- d-------- C:\Program Files\CallWave
2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback
2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!
2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2007-06-01 14:25 --------- d-------- C:\Program Files\DivX
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat
2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log
2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA51629-E62B-4FF9-857F-9A609F7D6F06}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Start Menu\Programs\Startup\
Reminder.lnk - C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat [2004-01-29 12:50:10]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 19:41:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"= C:\WINDOWS\System32\httge.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]
jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk
backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"wltrysvc"=2 (0x2)

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Contents of the 'Scheduled Tasks' folder
2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe
2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 13:29:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001f4

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-28 13:35:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-28 13:35

--- E O F ---

---------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:13 PM, on 7/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat
O4 - Global Startup: Printkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10872 bytes

-----------------------------------------------------------------------------------------------

Back to top

#7 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 28 July 2007 - 11:07 PM

Hi,

In your previous log, this entry was present:

O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf

Now I see that one is gone and now this one is present:

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

This is really confusing now since I don't know what you have been doing in between... So please don't do anything else apart from following my instructions, this to prevent confusion, otherwise I have no clue if some are created by you or created by malware.

Do you know above blastcln.bat?

The NSIS installer can be anything. This is because a certain program uses this installer and when you get an error, this means that t

Anyway, perform next please...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)
O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat <== check this if you don't know it
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Remove these folders if you don't know them, because the Celebpics folder certainly looks fishy and the fact that Callwave was modified the same time, they should be related in a way:

C:\Program Files\Celebpics #1
C:\Program Files\CallWave

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\jkkkjgf.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA51629-E62B-4FF9-857F-9A609F7D6F06}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#8 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 03:32 AM

Instructions were followed EXACTLY.

"Remind_Me.rtf" is a To Do List. "blastcln.bat" is a batch file that runs the Microsoft Blaster Worm Removal Tool. I move things in and out of my "Startup" folder. Sorry.

In your previous log, this entry was present:
O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf
Now I see that one is gone and now this one is present:
O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

Sorry, I will not change anything else.

This is really confusing now since I don't know what you have been doing in between... So please don't do anything else apart from following my instructions, this to prevent confusion, otherwise I have no clue if some are created by you or created by malware.

Do you know above blastcln.bat? <---<<< Microsoft Blaster Worm Removal Toll Batch file

Did exactly below:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <---<<<< WAS MISSING <<<<<<<
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)
O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat <== check this if you don't know it
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Remove these folders if you don't know them, because the Celebpics folder certainly looks fishy and the fact that Callwave was modified the same time, they should be related in a way:

C:\Program Files\Celebpics #1 <---<<< Uninstalled and folder deleted - is a screensaver
C:\Program Files\CallWave <---<<< deleted

Did exactly below:

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below. <---<<< CFScript disappeared after Combofix ran

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
[/quote]

After Combofix finished, ran Hijackthis scan. Combofix did NOT reboot.

------------------------------------------------------------------------------------------
ComboFix 07-07-28 - "Froggy" 2007-07-28 22:06:48.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll
2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll
2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll
2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll
2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban
2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc
2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint
2007-07-27 08:39 --------- d-------- C:\Program Files\EarthLink 5.0
2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee
2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee
2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback
2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!
2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2007-06-01 14:25 --------- d-------- C:\Program Files\DivX
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat
2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log
2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Start Menu\Programs\Startup\
Reminder.lnk - C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat [2004-01-29 12:50:10]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 19:41:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]
jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk
backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"wltrysvc"=2 (0x2)

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Contents of the 'Scheduled Tasks' folder
2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe
2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 22:18:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000508

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-28 22:21:42
C:\ComboFix-quarantined-files.txt ... 2007-07-28 22:21
C:\ComboFix2.txt ... 2007-07-28 13:35

--- E O F ---

------------------------------------------------------------------------------------------
jkkLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:23 PM, on 7/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat
O4 - Global Startup: Printkey.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10242 bytes

------------------------------------------------------------------------------------------
The offending file remains. I followed your instructions VERY carefully. Thank you for spending this time to help me.

Back to top

#9 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 03:53 AM

I meant to add, but forgot, that my " ... etc\HOSTS" file was trashed sometime between yesterday and today. I use the hosts file provided at "http://www.mvps.org/winhelp2002/", with my additions.

Back to top

#10 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 29 July 2007 - 08:26 AM

Hi,

"Remind_Me.rtf" is a To Do List. "blastcln.bat" is a batch file that runs the Microsoft Blaster Worm Removal Tool. I move things in and out of my "Startup" folder. Sorry.

This is not needed since you're not dealing with Blaster, so please remove this from your startup folder.

You'll have to run CFScript again, because I don't see it was a txt file you created. The CFScript should be a txt file as it displayed in the screenshot, but as I see from the switch, I see a CFScript without an extension:

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript

So please try again... Most probably you have extensions shown, so in your case it should be CFScript.txt you have to create.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#11 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 03:55 PM

Hi,

I removed the blaster batch file.

This is not needed since you're not dealing with Blaster, so please remove this from your startup folder. <--<<< DONE

I created a new script file and named it "CFScript.txt"

You'll have to run CFScript again, because I don't see it was a txt file you created. The CFScript should be a txt file as it displayed in the screenshot, but as I see from the switch, I see a CFScript without an extension:
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript

So please try again... Most probably you have extensions shown, so in your case it should be CFScript.txt you have to create.
[/quote]

I ran Hijackthis and "fixed" the items listed in your previous post. The items below did NOT appear in the scan list before fixing:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

Next, I ran Combofix by pasting "CFScript.txt" into Combofix as shown in your previous post. Combofix ran OK and did NOT reboot my system. I got alerts from McAfee, which I accepted.

Next, I ran Hijackthis and saved the log. Logs follow:

-----------------------------------------------------------------------------
ComboFix 07-07-28 - "Froggy" 2007-07-29 10:07:28.3 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll
2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll
2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll
2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll
2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban
2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc
2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 08:21 --------- d-------- C:\Program Files\EarthLink 5.0
2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint
2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee
2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee
2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback
2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!
2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2007-06-01 14:25 --------- d-------- C:\Program Files\DivX
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat
2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log
2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 19:41:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]
jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk
backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"wltrysvc"=2 (0x2)

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Contents of the 'Scheduled Tasks' folder
2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe
2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 10:18:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000058b

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 10:21:48
C:\ComboFix-quarantined-files.txt ... 2007-07-29 10:21
C:\ComboFix2.txt ... 2007-07-28 22:21
C:\ComboFix3.txt ... 2007-07-28 13:35

--- E O F ---

-----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:36 AM, on 7/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Printkey.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10093 bytes

-----------------------------------------------------------------------------
The offending file, jkkkjgf.dll, remains. I have followed your instructions exactly. Thank you for your patience. I think the Malware is altering my mouse driver. AdWatch pops-up changes to "Appoint". I also get Adwatch alerts for "NvCpl.dll". I attach recent events from my Adwatch log:

7/29/2007 10:34:47 AM> Registry modification detected
7/29/2007 10:34:47 AM>
7/29/2007 10:34:47 AM> Root:HKEY_LOCAL_MACHINE
7/29/2007 10:34:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
7/29/2007 10:34:47 AM> Value:Apoint
7/29/2007 10:34:47 AM> Data:C:\Program Files\Apoint\Apoint.exe
7/29/2007 10:34:47 AM> New Data:
7/29/2007 10:34:47 AM>
7/29/2007 10:34:58 AM> Registry modification detected
7/29/2007 10:34:58 AM>
7/29/2007 10:34:58 AM> Root:HKEY_LOCAL_MACHINE
7/29/2007 10:34:58 AM> Key:Software\Microsoft\Internet Explorer\Main
7/29/2007 10:34:58 AM> Value:Start Page
7/29/2007 10:34:58 AM> Data:http://my.earthlink.net
7/29/2007 10:34:58 AM> New Data:about:blank
7/29/2007 10:34:58 AM>
7/29/2007 10:39:07 AM> Registry modification detected
7/29/2007 10:39:07 AM>
7/29/2007 10:39:07 AM> Root:HKEY_LOCAL_MACHINE
7/29/2007 10:39:07 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
7/29/2007 10:39:07 AM> Value:Apoint
7/29/2007 10:39:07 AM> Data:
7/29/2007 10:39:07 AM> New Data:
7/29/2007 10:39:07 AM>
7/29/2007 10:39:33 AM> Registry modification detected
7/29/2007 10:39:33 AM>
7/29/2007 10:39:33 AM> Root:HKEY_LOCAL_MACHINE
7/29/2007 10:39:33 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
7/29/2007 10:39:33 AM> Value:NvCplDaemon
7/29/2007 10:39:33 AM> Data:RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup
7/29/2007 10:39:33 AM> New Data:
7/29/2007 10:39:33 AM>
7/29/2007 10:46:31 AM> Registry modification detected
7/29/2007 10:46:31 AM>
7/29/2007 10:46:31 AM> Root:HKEY_LOCAL_MACHINE
7/29/2007 10:46:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
7/29/2007 10:46:31 AM> Value:NvCplDaemon
7/29/2007 10:46:31 AM> Data:
7/29/2007 10:46:31 AM> New Data:RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup
7/29/2007 10:46:31 AM>

I really do not know what "NvCpl.dll" is doing!

Thank you again. I very much appreciate your patience and tolerance of my lesser skills.

Back to top

#12 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 29 July 2007 - 04:25 PM

NvCpl.dll is related with your NVIDIA Display Properties Extension, nothing to worry about.. also Appoint is ok.

I think your adwatch is also interfering with the CFScript since it also modifies some startup entries.

I already asked you previously to disable adwatch during cleeanup, but it seems like it is still running and displaying alerts and interfering, so I recommend you uninstall Adaware in a meanwhile. You can reinstall it again afterwards when we are done here.

Then recreate the CFScript once again and drag it into combofix.

The post the logs afterwards. If that didn't work, we still have some other methods to try.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#13 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 04:47 PM

I did an "End Process" in Windows Task Manager for the Adwatch process, BEFORE I ran Hijackthis and ComboFix. I didn't see any activity from Adwatch while running Combofix or Hijackthis. The "Appoint" change(s) change the display I see when I go to "Mouse" in Control Panel. It gets changed from my laptop touchpad to a regular mouse.

Can I just "turn off" Ad-watch and Ad-Aware using the System Configuration Utility (MSCONFIG)? I have a dailup connection, so downloading the software again is a PITA!

--- you wrote ---

NvCpl.dll is related with your NVIDIA Display Properties Extension, nothing to worry about.. also Appoint is ok.

I think your adwatch is also interfering with the CFScript since it also modifies some startup entries.

I already asked you previously to disable adwatch during cleeanup, but it seems like it is still running and displaying alerts and interfering, so I recommend you uninstall Adaware in a meanwhile. You can reinstall it again afterwards when we are done here.

Then recreate the CFScript once again and drag it into combofix.

The post the logs afterwards. If that didn't work, we still have some other methods to try.

Back to top

#14 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 29 July 2007 - 04:56 PM

If I am not mistaken, even if you disable Adwatch via msconfig, it will be reloaded after Windows logon anyway. You can give it a try though..

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#15 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 08:49 PM

Hi,

I ran Combofix and Hijackthis again with McAfee disabled and Adwatch not loaded. I unchecked "Load on Windows startup" in Adwatch Tools/Options and unchecked it in MSCONFIG/Startup. After the reboot, I checked "Task Manager" to assure Adwatch and McAfee were not loaded. Both were not shown in running processes. Combofix ran but did not reboot. When I scanned with Hijackthis, only two items remained from your previous "fix list", as below:

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

After I had run Combofix and Hijackthis, I again checked Taskmanager/Processes and neither McAfee nor Adwatch were running. I got no McAfee alerts during the process and no Adwatch alerts when I rebooted. Previously, Adwatch had popped-up asking for approval of what Combofix/Hijackthis changed.

If I am not mistaken, even if you disable Adwatch via msconfig, it will be reloaded after Windows logon anyway. You can give it a try though..
<---<<< It will be reloaded unless you uncheck it at Adwatch Tools/Options.

Logs follow:

--------------------------------------------------------------------------------------------
ComboFix 07-07-28 - "Froggy" 2007-07-29 13:57:55.4 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

2007-07-29 10:39 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll
2007-07-29 10:39 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-29 10:39 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-29 10:39 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll
2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll
2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll
2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban
2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc
2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 10:39 --------- d-------- C:\Program Files\Apoint
2007-07-29 08:21 --------- d-------- C:\Program Files\EarthLink 5.0
2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee
2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware
2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee
2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback
2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!
2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2007-06-01 14:25 --------- d-------- C:\Program Files\DivX
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat
2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log
2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 19:41:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]
jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk
backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"McDetect.exe"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"McAfee AntiSpyware Service"=2 (0x2)
"Emproxy"=3 (0x3)

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Contents of the 'Scheduled Tasks' folder
2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe
2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 14:09:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000050d

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 14:11:53
C:\ComboFix-quarantined-files.txt ... 2007-07-29 14:11
C:\ComboFix2.txt ... 2007-07-29 10:21
C:\ComboFix3.txt ... 2007-07-28 22:21

--- E O F ---

--------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:27 PM, on 7/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Utilities\Printkey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Printkey.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8108 bytes

--------------------------------------------------------------------------------------------

The file, jkkkjgf.dll, remains. Whatever this thing is it tries to dial out using the "Windows Explorer" process. I keep wondering if it can collect passwords, etc?

I Googled for "jkkkjgf.dll" and found hits, but they are all in languages I can't read!

This thing is attached to "Winlogon.exe" and "explorer.exe", both of which are requied to function.

Do you think running Combofix and/or Hijackthis in safe mode would work? Somehow, a fix has to get in ahead of "Winlogon" and/or "explorer.exe", I think.

This seems to be a stubborn littel bug!

Thanks, again, for your patience and tolerance. I hope there is a more potent Malware killer in your arsenal.

~Jim~

Back to top

#16 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 29 July 2007 - 08:56 PM

.. Yes, I know what this file is .. It is one of these Vundo/Virtumundo/Conhook variants and I know what it does.
Normally Combofix can deal with it without any problems, so not sure here if it's a third party interfering here with Combofix or anything else.

Anyway, don't bother about Combofix for now, but do next instead..

* Please download VundoFix.exe to your C:\.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\jkkkjgf.dll
Click the “Add Files” button.
Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

Post a new hijackthislog and the contents of C:\vundofix.txt in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#17 jimbo8500

Member

Members
28 posts

Posted 29 July 2007 - 11:02 PM

Hi,

Can you please tell me if "Vundo/Virtumundo/Conhook" can capture and transmit personal information and/or passwords. I am trying to assess my exposure as I work through this?

.. Yes, I know what this file is .. It is one of these Vundo/Virtumundo/Conhook variants and I know what it does.

I need a break, so I will run Vundofix and post my logs in a while.

Thank you again for your help and patience.

~Jim~

Back to top

#18 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 29 July 2007 - 11:17 PM

Can you please tell me if "Vundo/Virtumundo/Conhook" can capture and transmit personal information and/or passwords

No, it won't capture passwords etc...read here for more info:
http://www.symantec....-112111-3912-99
http://research.sunb...?threatid=45786

It's mainly adware, displaying popups/advertisements.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

#19 jimbo8500

Member

Members
28 posts

Posted 30 July 2007 - 01:55 AM

Well ... at last it seems to be gone. If only I had known about the "Add More Files" Finction of VundoFix! If I had, it would have been fixed last Thursday night ... alas!

I'm glad to know Vundo isn't a serious threat ... thanks.

No, it won't capture passwords etc...read here for more info:
http://www.symantec....-112111-3912-99
http://research.sunb...?threatid=45786
It's mainly adware, displaying popups/advertisements.

I followed your instructions for VundoFix and "jkkkjgf.dll" is gone from "...\system32" folder! Logs follow:

--------------------------------------------------------------------------------------------

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 5:26:16 PM 7/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 5:30:52 PM 7/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\jkkkjgf.dll
C:\WINDOWS\SYSTEM32\jkkkjgf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\jkkkjgf.dll
C:\WINDOWS\SYSTEM32\jkkkjgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

--------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:54 PM, on 7/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Printkey.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181147560527
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181147516373
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.c...printathome.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...769/mcfscan.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10061 bytes

--------------------------------------------------------------------------------------------

After I finished, I edited out the last registry entry, just to be sure!

My machine labors a bit after connecting to my ISP. Is there any lint that can be cleaned up?

My "mouse" software finally settled down. The Malware must have been tinkering with it.

You must have assumed I knew more about VundoFix than I really did!

I do, very much, appreciate your time and patience ... THANKS !!!

~Jim~

Back to top

#20 miekiemoes

Malware Killer Dog

Volunteer Security Advisor
4092 posts

Posted 30 July 2007 - 09:20 AM

Hi,

Check and fix next lefover in HijackThis:

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll (file missing)

Delete next folders:

C:\Vundofix backups
C:\Qoobox

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

Back to top

Next

Back to Resolved/Inactive HijackThis Logs

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users