hijCK THIS PLEASE HELP

Question

Logfile of HijackThis v1.99.1 Scan saved at 8:38:52 PM, on 12/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\clb37214.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Dell Support\DSAgnt.exe C:\PROGRA~1\SPYWAR~1\swdoctor.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\NORTON~1
avw32.exe C:\PROGRA~1\NORTON~1
avw32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\NORTON~1\Navw32.exe C:\Documents and Settings\Owner.JORDAN.000\My Documents\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing) O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1	ools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1	ools\iesdpb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\pmkjh.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [8ebc51208e3c] C:\WINDOWS\system32\clb37214.exe O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKCU\..\Run: [MsnMsgr] 'C:\Program Files\MSN Messenger\MsnMsgr.Exe' /background O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [DellSupport] 'C:\Program Files\Dell Support\DSAgnt.exe' /startup O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin
pjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin
pjpi142.dll O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\IEDriver\TD.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\IEDriver\TD.exe (file missing) O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1	ools\iesdpb.dll O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS
ppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4788DE08-3552-49EA-AC8C-233DA52523B9} (RIM AxLoader) - http://www.blackberry.com/messenger/AxLoader.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125810717468 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4581/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Message Edited by eebonysoul on 12-31-2005 02:49 PM

ky331 · Answer

among other things, I see a WinFixer [trojan vundo/virtumundo]  problem... let's start with that:   download VirtumundoBeGone from: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe * Save it to your Desktop* Close all running programs (including your Internet Browser)* Double-click VirtumundoBeGone.exe on the desktop* Follow the directions as indicated please be advised that this program will generate a 'BLUE SCREEN OF DEATH'... this is an expected/necessary part of the process, so don't be surprised when it happens. just reboot if your system 'jams' ********************* It's now time to report back to us: VirtumundoBeGone  generated a 'log' file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.

eebonysoul · Answer

thank you very much, my computer seems to running ok now thank you.

eebonysoul · Answer

[12/31/2005, 12:57:26] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner.JORDAN.000\Desktop\VirtumundoBeGone.exe" )
[12/31/2005, 12:57:38] - Detected System Information:
[12/31/2005, 12:57:38] - Windows Version: 5.1.2600, Service Pack 2
[12/31/2005, 12:57:38] - Current Username: Owner (Admin)
[12/31/2005, 12:57:38] - Windows is in NORMAL mode.
[12/31/2005, 12:57:38] - Searching for Browser Helper Objects:
[12/31/2005, 12:57:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/31/2005, 12:57:38] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/31/2005, 12:57:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/31/2005, 12:57:38] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/31/2005, 12:57:38] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/31/2005, 12:57:38] - BHO 3: {59879FA4-4790-461c-A1CC-4EC4DE4CA483} (RXResultTracker Class)
[12/31/2005, 12:57:38] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/31/2005, 12:57:38] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/31/2005, 12:57:38] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[12/31/2005, 12:57:38] - BHO 7: {CE70731D-F28D-4D81-9D61-C8EE60378401} (MSEvents Object)
[12/31/2005, 12:57:38] - ALERT: Found MSEvents Object!
[12/31/2005, 12:57:38] - Finished Searching Browser Helper Objects
[12/31/2005, 12:57:38] - *** Detected MSEvents Object
[12/31/2005, 12:57:38] - Trying to remove MSEvents Object...
[12/31/2005, 12:57:39] - Terminating Process: IEXPLORE.EXE
[12/31/2005, 12:57:41] - Terminating Process: RUNDLL32.EXE
[12/31/2005, 12:57:41] - Disabling Automatic Shell Restart
[12/31/2005, 12:57:42] - Terminating Process: EXPLORER.EXE
[12/31/2005, 12:57:44] - Suspending the NT Session Manager System Service
[12/31/2005, 12:57:44] - Terminating Windows NT Logon/Logoff Manager
[12/31/2005, 12:57:45] - Re-enabling Automatic Shell Restart
[12/31/2005, 12:57:45] - File to disable: C:\WINDOWS\system32\pmkjh.dll
[12/31/2005, 12:57:45] - Renaming C:\WINDOWS\system32\pmkjh.dll -> C:\WINDOWS\system32\pmkjh.dll.vir
[12/31/2005, 12:57:47] - File successfully renamed!
[12/31/2005, 12:57:47] - Removing HKLM\...\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401}
[12/31/2005, 12:57:48] - Removing HKCR\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401}
[12/31/2005, 12:57:49] - Adding Kill Bit for ActiveX for GUID: {CE70731D-F28D-4D81-9D61-C8EE60378401}
[12/31/2005, 12:57:50] - Deleting ATLEvents/MSEvents Registry entries
[12/31/2005, 12:57:50] - Removing HKLM\...\Winlogon\Notify\pmkjh
[12/31/2005, 12:57:51] - Searching for Browser Helper Objects:
[12/31/2005, 12:57:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/31/2005, 12:57:51] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/31/2005, 12:57:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/31/2005, 12:57:51] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/31/2005, 12:57:51] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/31/2005, 12:57:51] - BHO 3: {59879FA4-4790-461c-A1CC-4EC4DE4CA483} (RXResultTracker Class)
[12/31/2005, 12:57:51] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/31/2005, 12:57:51] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/31/2005, 12:57:51] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[12/31/2005, 12:57:52] - Finished Searching Browser Helper Objects
[12/31/2005, 12:57:52] - Finishing up...
[12/31/2005, 12:57:52] - A restart is needed.
[12/31/2005, 12:57:52] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[12/31/2005, 12:58:03] - Attempting to Restart via STOP error (Blue Screen!)

ky331 · Answer

based on the VBG log, it looks like VirtumundoBeGone successfully deactivated the bad WinFixer/vundo file. Have you noticed any difference, in terms of WinFixer popups, warning messages about trojan vundo/virtumundo, and/or overall system speed/performance?   are you experiencing any other problems???   if you'd like further analysis (most likely by someone else), you should post an updated/revised HJT log, REPLYing to this thread.

Virus & Spyware

Was this post helpful?