phvakil Posted November 21, 2007 Report Share Posted November 21, 2007 Hi, I'm trying to fix my laptop. It takes a long time for windows xp to load and when ever I type a search in Google a pop up comes up. I ran Kaspersky Online Scanner and it said there were 6 viruses...I will post both my hijackthis.log and virus scan results. Thank you for your help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:42:23 PM, on 11/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\xgykbvjh.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\Harish Vakil\My Documents\HJT\HJTInstall.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?p=1149026369R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {089E4E86-94F2-485D-A073-94B857D5E202} - (no file)O2 - BHO: (no name) - {0BE9877F-6FF7-4C11-8466-165888DC1CCB} - C:\WINDOWS\system32\ddaba.dllO2 - BHO: {9238f831-6fdf-1478-a084-9785d83b4554} - {4554b38d-5879-480a-8741-fdf6138f8329} - C:\WINDOWS\system32\ttugcssu.dllO2 - BHO: (no name) - {586CE097-554C-4372-89CB-1AD401503330} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [7053a207] rundll32.exe "C:\WINDOWS\system32\lldritsm.dll",bO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cabO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO20 - Winlogon Notify: jkhff - C:\WINDOWS\O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exeO23 - Service: DomainService - - C:\WINDOWS\system32\xgykbvjh.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeO23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe--End of file - 7426 bytes------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, November 21, 2007 3:32:36 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 21/11/2007 Kaspersky Anti-Virus database records: 463062-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: C:\ D:\Scan Statistics: Total number of scanned objects: 70407 Number of viruses found: 6 Number of infected objects: 13 Number of suspicious objects: 0 Duration of the scan process: 01:17:12Infected Object Name / Virus Name / Last ActionC:\check_LSA7.txt Object is locked skippedC:\Deckard\System Scanner\backup\DOCUME~1\HARISH~1\LOCALS~1\Temp\jiygrtic.exe Infected: Trojan.Win32.Obfuscated.kp skippedC:\Deckard\System Scanner\backup\DOCUME~1\HARISH~1\LOCALS~1\Temp\xrun.exe Infected: Trojan-Downloader.Win32.Agent.dxj skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skippedC:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skippedC:\Documents and Settings\Harish Vakil\Cookies\index.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\History\History.IE5\MSHist012007112120071122\index.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temp\~DFC573.tmp Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temporary Internet Files\Content.IE5\2FYOIXZW\poiu[1] Infected: Trojan-Downloader.Win32.Tiny.id skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temporary Internet Files\Content.IE5\72A0Y2Q2\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\Local Settings\Temporary Internet Files\Content.IE5\YPOP3CT4\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skippedC:\Documents and Settings\Harish Vakil\ntuser.dat Object is locked skippedC:\Documents and Settings\Harish Vakil\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skippedC:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skippedC:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP464\A0047588.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP467\A0048097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP468\A0048436.exe Infected: Trojan-Downloader.Win32.Tiny.id skippedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP468\change.log Object is locked skippedC:\WINDOWS\Debug\PASSWD.LOG Object is locked skippedC:\WINDOWS\SchedLgU.Txt Object is locked skippedC:\WINDOWS\SoftwareDistribution\EventCache\{06941483-16FD-4BE6-9EAA-2D1C877C665F}.bin Object is locked skippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skippedC:\WINDOWS\Sti_Trace.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\edb.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skippedC:\WINDOWS\system32\config\Antivirus.Evt Object is locked skippedC:\WINDOWS\system32\config\AppEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\DEFAULT Object is locked skippedC:\WINDOWS\system32\config\default.LOG Object is locked skippedC:\WINDOWS\system32\config\Internet.evt Object is locked skippedC:\WINDOWS\system32\config\SAM Object is locked skippedC:\WINDOWS\system32\config\SAM.LOG Object is locked skippedC:\WINDOWS\system32\config\SecEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SECURITY Object is locked skippedC:\WINDOWS\system32\config\SECURITY.LOG Object is locked skippedC:\WINDOWS\system32\config\SOFTWARE Object is locked skippedC:\WINDOWS\system32\config\software.LOG Object is locked skippedC:\WINDOWS\system32\config\SysEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SYSTEM Object is locked skippedC:\WINDOWS\system32\config\system.LOG Object is locked skippedC:\WINDOWS\system32\h323log.txt Object is locked skippedC:\WINDOWS\system32\lldritsm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skippedC:\WINDOWS\system32\smrybvur.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skippedC:\WINDOWS\system32\ssqpono.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skippedC:\WINDOWS\system32\xgykbvjh.exe Infected: Trojan.Win32.Obfuscated.kp skippedC:\WINDOWS\system32\xxywuuu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skippedC:\WINDOWS\Temp\Perflib_Perfdata_71c.dat Object is locked skippedC:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skippedC:\WINDOWS\wiadebug.log Object is locked skippedC:\WINDOWS\wiaservc.log Object is locked skippedC:\WINDOWS\WindowsUpdate.log Object is locked skippedScan process completed. Link to post Share on other sites
sarahw Posted December 1, 2007 Report Share Posted December 1, 2007 Hi,Welcome to the siteI will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.I want you to show hidden files. There are instructions HERE to help you do this.You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time. Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. Link to post Share on other sites
sarahw Posted December 1, 2007 Report Share Posted December 1, 2007 Hi phvakil,Please follow these instructions:1.Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.When you are all the instructions, post the contents of C:\vundofix.txt in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.2.Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. You will need that for your next reply.Note: Do not mouseclick combofix's window while its running. That may cause it to stall3.Post the Vundofix log and the combofix log with a fresh Hijack This log in your next reply. Link to post Share on other sites
Recommended Posts