(RESOLVED) My Hijackthis log - Referred by Eric The Red

Started by BrianO, January 16, 2006, 02:08:09 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

BrianO

January 16, 2006, 02:08:09 PM
Original Topic >> http://www.landzdown.com/index.php?topic=4485.0;topicseen

Logfile of HijackThis v1.99.1
Scan saved at 8:55:26 AM, on 1/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINNT\System32\svchost.exe
I:\PROGRA~1\VCOM\Fix-It\mxtask.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\Program Files\Bell\Access Manager\app\TangoService.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\VTTimer.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
I:\Program Files\ZoneAlarm\zlclient.exe
I:\Program Files\CallStation\CStation.exe
I:\qttask.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINNT\system32\ctfmon.exe
I:\Program Files\AutoSizer\AutoSizer.exe
I:\Program Files\CallStation\CStation.exe
I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
I:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - F:\WINNT\system32\jkkll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] I:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CallStation] I:\Program Files\CallStation\CStation.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AutoSizer] "I:\Program Files\AutoSizer\AutoSizer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://i:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136756579843
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: jkkll - F:\WINNT\system32\jkkll.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - I:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - F:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe

winchester73

#1
January 16, 2006, 02:28:05 PM
Well, you have a pest named Virtumonde ...  :D

I'm not sure from your other thread exactly what you have already done, but here are the removal steps in order ...


Please download VundoFix.exe to your desktop:  http://www.atribune.org/downloads/VundoFix.exe

    Double-click VundoFix.exe to extract the files
    This will create a VundoFix folder on your desktop
    After the files are extracted, please reboot your computer into
Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat[/list]

You will first be presented with a warning and a list of forums to seek help at.  It should look like this:

QuoteVundoFix V2.13 by Atri
By pressing enter you agree that you are using this at your own risk

Press Enter one time.  Next you will see:

QuoteType in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

Please type the following file path (make sure to enter it exactly as below!):

F:\WINNT\system32\jkkll.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

QuotePlease type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

Type the following file path (make sure to enter it exactly as below!):

F:\WINDOWS\system32\llkkj.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will automatically open up HijackThis.  Put a checkmark next to the following items and press "Fix Checked":

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - F:\WINNT\system32\jkkll.dll

O20 - Winlogon Notify: jkkll - F:\WINNT\system32\jkkll.dll

Close HJT, and press any key to force a reboot of your computer.  You will get a "Blue Screen of Death" ... this is normal, do not worry!

Once your machine reboots, post a fresh HJT log and the vundofix.txt file (from the vundofix folder).
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

BrianO

#2
January 16, 2006, 02:58:12 PM
Winchester73, just to clarify ... the path you mentioned above was "F:\WINDOWS\system32\llkkj.*", did you mean F:\WINNT\system32\llkkj.* ?
F:\WINNT\system32\llkkj.* is what I entered and here is my new log.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:09 AM, on 1/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINNT\System32\svchost.exe
I:\PROGRA~1\VCOM\Fix-It\mxtask.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\Program Files\Bell\Access Manager\app\TangoService.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\VTTimer.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
I:\Program Files\ZoneAlarm\zlclient.exe
I:\Program Files\CallStation\CStation.exe
I:\qttask.exe
I:\Program Files\CallStation\CStation.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINNT\system32\ctfmon.exe
I:\Program Files\AutoSizer\AutoSizer.exe
I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
I:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] I:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CallStation] I:\Program Files\CallStation\CStation.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AutoSizer] "I:\Program Files\AutoSizer\AutoSizer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://i:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136756579843
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - I:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - F:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe

winchester73

#3
January 16, 2006, 03:34:34 PM
Quote from: BrianO on January 16, 2006, 02:58:12 PM
Winchester73, just to clarify ... the path you mentioned above was "F:\WINDOWS\system32\llkkj.*", did you mean F:\WINNT\system32\llkkj.* ?
F:\WINNT\system32\llkkj.* is what I entered and here is my new log.


Yes ... the clever people responsible for this pest thought reversing jkkll to llkkj would be amusing.

That log looks much improved ... how is your problem?

Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

BrianO

#4
January 16, 2006, 07:07:27 PM
 :gwave:
All seems fine now. Also just installed a router but I think I'll keep ZA running as well.
Thanks for all the help. I had tried all of those fixes but probably messed up a step before.  :thumbsup:

winchester73

#5
January 16, 2006, 09:08:43 PM
A lot of people miss the step that includes the alphabet reversal ...  :D

I have ZA on this box as well as a NAT router.  IMO, a layered defense works best.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

winchester73

#6
January 17, 2006, 01:45:47 PM
This issue has been reported as resolved.

I'll mark this thread "closed".
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member
Print
Go Up Pages1
User actions