Author Topic: Hijack This Log please help (Read 1008 times)

kbrassfi · « **on:** October 04, 2006, 09:05:18 PM »

ok, have run both Adaware and Spybot (both updated), and here is my log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:05 PM, on 10/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kirk Brassfield\My Documents\Programs\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {0534DDB8-5DA1-4E24-A3B2-B34FC7C29B6B} - C:\WINDOWS\System32\jkkll.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsc17F.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\krjrllki.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158392543174
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158392357142
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkll - C:\WINDOWS\System32\jkkll.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe

winchester73 · « **Reply #1 on:** October 04, 2006, 10:49:42 PM »

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a fresh HJT log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

winchester73 · « **Reply #2 on:** October 04, 2006, 10:50:41 PM »

Quote

Platform: Windows XP SP1 (WinNT 5.01.2600)

When you are all cleaned up, you'll want to update to SP2. Also, you'll want to make sure your Java is fully updated.

kbrassfi · « **Reply #3 on:** October 05, 2006, 03:34:28 AM »

ok as requested here are the two logs, the VundoFix first, as a side not the program ended up freezing up on me, and I had to turn off my computer, when I turned it back on it kept trying to read the CD-Rom, I took the battery off of the board and it started fine, I ran VundoFix again and it showed no problems, but I was able to find to log that showed it did complete the first time.

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:04:17 PM 10/3/2006

Listing files found while scanning....

C:\WINDOWS\system32\ndcnnlte.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ndcnnlte.dll
C:\WINDOWS\system32\ndcnnlte.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.0

Checking Java version...

Java version is 1.5.0.6

Scan started at 4:25:12 PM 10/4/2006

Listing files found while scanning....

C:\WINDOWS\system32\gwecsanv.dll
C:\WINDOWS\system32\kfjrhidq.dll
C:\WINDOWS\system32\orieclfi.dll
C:\WINDOWS\system32\rimcdvyu.dll
C:\WINDOWS\system32\rxtiuaey.dll
C:\WINDOWS\system32\twtfpcvi.dll
C:\WINDOWS\system32\ycmxayyp.dll
C:\WINDOWS\system32\yuuvvumw.dll
C:\WINDOWS\System32\jkkll.dll
C:\WINDOWS\System32\llkkj.ini
C:\WINDOWS\System32\llkkj.bak1
C:\WINDOWS\System32\llkkj.bak2
C:\WINDOWS\System32\llkkj.ini2
C:\WINDOWS\System32\llkkj.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gwecsanv.dll
C:\WINDOWS\system32\gwecsanv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kfjrhidq.dll
C:\WINDOWS\system32\kfjrhidq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\orieclfi.dll
C:\WINDOWS\system32\orieclfi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rimcdvyu.dll
C:\WINDOWS\system32\rimcdvyu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rxtiuaey.dll
C:\WINDOWS\system32\rxtiuaey.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\twtfpcvi.dll
C:\WINDOWS\system32\twtfpcvi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycmxayyp.dll
C:\WINDOWS\system32\ycmxayyp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yuuvvumw.dll
C:\WINDOWS\system32\yuuvvumw.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\jkkll.dll
C:\WINDOWS\System32\jkkll.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\llkkj.ini
C:\WINDOWS\System32\llkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\llkkj.bak1
C:\WINDOWS\System32\llkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llkkj.bak2
C:\WINDOWS\System32\llkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llkkj.ini2
C:\WINDOWS\System32\llkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llkkj.tmp
C:\WINDOWS\System32\llkkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.0

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:02:46 PM 10/4/2006

Listing files found while scanning....

No infected files were found.

And now here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:17:44 PM, on 10/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kirk Brassfield\My Documents\Programs\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0534DDB8-5DA1-4E24-A3B2-B34FC7C29B6B} - C:\WINDOWS\System32\jkkll.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsc17F.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\krjrllki.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158392543174
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158392357142
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe

winchester73 · « **Reply #4 on:** October 05, 2006, 01:39:59 PM »

That HJT log is a bit thin on running processes, and I'm not sure Vundo is completely gone ... and you also have evidence of Begin2Search ... but let's try something simple first.

Close all open windows (especially Internet), and scan/run HJT again. Use your mouse to checkmark the box next to the following items, and press "FIx Checked":

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0534DDB8-5DA1-4E24-A3B2-B34FC7C29B6B} - C:\WINDOWS\System32\jkkll.dll (file missing)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsc17F.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\krjrllki.dll

Now, reboot your computer, run HJT again, and post a fresh log.

LandzDown Forum

News:

Author Topic: Hijack This Log please help (Read 1008 times)

kbrassfi

Hijack This Log please help

winchester73

Re: Hijack This Log please help

winchester73

Re: Hijack This Log please help

kbrassfi

Re: Hijack This Log please help

winchester73

Re: Hijack This Log please help