TechSpot

Attempting to Remove hggffgd.dll

By HiJackThis1.99
Feb 21, 2007
Topic Status:
Not open for further replies.
  1. Okay, yesterday I got infected by like 8 trojans. Wow. But since I am not noob to this stuff I removed them, and the necessary dll's manually.

    My problem is, I found a file called "%systemroot%/hggffgd.dll" it claims to be a system file and does not want to delete nor get renamed.
    I used Sypboy, Spyware Doctor, Panda, Look-2-Me Destroyer and according to them I am clean. But I found a file myself, called hggffgd.dll in the system32 folder. The date it was created was on 2/20/2007, no way a system file if it is really necessay for the system.

    Here are my questions.
    1)Is it safe to delete the file?

    2)In HiJack this I found it in 2 locations, is it safe to fix the problem through HiJack This first (it is attached to winlogon.exe)?

    To add BleepingComputer had a discussion on that file as well.
    And ideas how I can removed it as fast as possible. Again my basic question is can I use HiJackThis to fix those two entries of that file without fear of damage to the computer.
  2. tomrca

    tomrca TS Rookie Posts: 1,051

    post your log as an attachment
  3. HiJackThis1.99

    HiJackThis1.99 TS Rookie Topic Starter Posts: 87

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 8:57:52 PM, on 2/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Arcade\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\acer\eRecovery\Monitor.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Files\HiJack This!\AnalyzeThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F2DA3C9-7F6C-B30E-95CC-00D31CEB09F3} - blank (file missing)
    O2 - BHO: (no name) - {3E1ADDC2-ED00-4999-8FB5-9A00D8D9488D} - C:\WINDOWS\system32\jkkjj.dll
    O2 - BHO: (no name) - {494ED3C8-6FCE-422E-B64A-37AB0DF8A144} - blank (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {8E3595C5-6F6D-44B2-BC8B-FA2DAF1EE33C} - C:\WINDOWS\system32\hggffgd.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156198480769
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: hggffgd - C:\WINDOWS\SYSTEM32\hggffgd.dll
    O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    
    

    NOTE!
    I just got attacked by a new dll, "jkkjj.dll".
    How it came, I have no idea.

    I believe, Spyware Doctor, called this Virtumonde.

    So can I delete?
    (I renamed it to AnalyzeThis, you were right the original name does not show).
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I have moved your thread to the correct forum.

    Your system is indeed infected with the vundo trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the filepaths you need to enter into Vundofix.

    C:\WINDOWS\system32\jkkjj.dll
    C:\WINDOWS\system32\hggffgd.dll


    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of HiJackThis1.99 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. HiJackThis1.99

    HiJackThis1.99 TS Rookie Topic Starter Posts: 87

    Thanks for the download.
    But I managed to find an earlier version of Vondofix and used it and it removed something.
    So when I used this one it scanned and did not find anything :(.

    The other file,
    jkkjj.dll
    Was deletable after I used an earlier version of VundoFix.
    (And its registry entry is gone from Windows NT/Winlogon/Notify)

    The last, major file remains.
    No program detected it, no patch detected it.
    Only HiJackThis, which I know is Vundo.Trojan after using "Virus Total" as an online scanner.

    Guys, do you have any way of removing that file safely.
    Maybe, I can program HijackThis to delete it on reboot? Or is that a bad idea.

    Thanks again.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Go and follow these instructions HERE.

    Post a fresh HJT log and an AVG Antispyware log, after doing the above.

    Regards Howard :)

    This thread is for the use of HiJackThis1.99 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. HiJackThis1.99

    HiJackThis1.99 TS Rookie Topic Starter Posts: 87

    Here is the HiJackThis log file
    (It is late for me to download and post a AVG log file).

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:40:27 PM, on 2/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Arcade\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\acer\eRecovery\Monitor.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Files\HiJack This!\AnalyzeThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F2DA3C9-7F6C-B30E-95CC-00D31CEB09F3} - blank (file missing)
    O2 - BHO: (no name) - {494ED3C8-6FCE-422E-B64A-37AB0DF8A144} - blank (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {8E3595C5-6F6D-44B2-BC8B-FA2DAF1EE33C} - C:\WINDOWS\system32\hggffgd.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156198480769
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: hggffgd - C:\WINDOWS\SYSTEM32\hggffgd.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    
    See, that jkkjj.dll was removed from the Winlogon/Notify (after I used VondoFix earlier). And there was another entry of jkkjj.dll, that I removed because it said (FILE IS MISSING).
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You`re not using any antivirus or firewall software. This is a huge security risk. Please install some asap.

    Have you followed the instructions in the link I gave you in my post above? If not you should do so.

    The nasty .dll file is still in your HJT log.

    I really need to see an AVG Antispyware log.

    If the instructions in the link I gave you don`t get rid of the .dll file, then we`ll have to think of something else.

    Please post a fresh HJT log, after following the instructions and an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of HiJackThis1.99 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
    1 person likes this.
  9. HiJackThis1.99

    HiJackThis1.99 TS Rookie Topic Starter Posts: 87

    It is gone! No more hggffgd.dll file found :)
    I have reason to believe that I am clean now. Because when I was scanning and fixing my computer a box appeared saying unable to find internet connection randomlly every 30 minutes, something like that. That was because my internet was gone for security reasons but Vondo kept on trying to connnet to it.
    Now, after I removed it, I did not get the message.

    1)Why is it that when I told HiJackThis to delete hggffgd.dll on reboot, it failed? Was it because, the virus was made to look like an OS file?

    2)Does the AVG Anti-Spyware Program work for free (I mean, I know it does not auto protect but does it still manually update and disinfect). I love that program. Thank you so much, it did the trick, after failing to remove the file it restarted and deleted it on reboot.

    3)I removed the Winlogon Notify registry entry, hence it does not appear in HiJack This.

    4)The second extry for hggffgd.dll is gone after AVG deleted the file.

    5)Today in the morning as I was on the internet reading the forums, I got a message from Spyware Doctor, that something entered my computer. I immedialtly knew the file downloaded something. It was lots and lots of Vondo. But thanks to your program, VondoFix, it removed all the dll's with ease. So I did not have to waste time, searhing and finding these files and deleting them manually after I removed hggffgd.dll

    Here is my AVG Anti-Virus Log:
    Code:
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062078.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP104\A0063106.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062071.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP104\A0063128.exe -> Adware.ValueAd : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP104\A0063216.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062076.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
    C:\Documents and Settings\G\Local Settings\Temp\Cookies\g@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP104\A0063176.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062098.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062104.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{7167BCE7-B0B2-428A-B01D-39F2A9232A8C}\RP103\A0062074.exe -> Trojan.Small : Cleaned with backup (quarantined).
    
    Here is my HiJackThis log (after I updated it by removing an entry).
    Code:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Arcade\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\acer\eRecovery\Monitor.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware\avgas.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Files\HiJack This!\AnalyzeThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F2DA3C9-7F6C-B30E-95CC-00D31CEB09F3} - blank (file missing)
    O2 - BHO: (no name) - {494ED3C8-6FCE-422E-B64A-37AB0DF8A144} - blank (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156198480769
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    
    6)I used Spyware Doctor, it found some malicious ActiveX in the registry, My guess it is the remanants of the deleted Vondo (and other trojans).

    7)I used Spybot Seach and Destroy. Again nothing serious just remanants of the registry files after the deleted trojans.
    Look in the attachment.

    I am about to use Panda-Active Scan and then perhaps use Bit-Defender (if I have time, that one takes so long).

    Now I got two questions:

    A)Is there an excellent, fully functional and free anti-virus program. Because as I see anti-spyware products are not as secure.

    B)This question, I kept on asking and still no response. I would really like to know, is why I could have not fixed the problems in HiJack this. I did not because you did not tell me to, but I really wanted to, why could that not work? Is it because it will not let? Or do serious damage to OS?

    Thank you again.

    I just wanted to add, that though, AVG found something it was not dangerous because it was in the System Restore folder and was not being used by the computer.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Have HJT fix the following entries.

    O2 - BHO: (no name) - {0F2DA3C9-7F6C-B30E-95CC-00D31CEB09F3} - blank (file missing)

    O2 - BHO: (no name) - {494ED3C8-6FCE-422E-B64A-37AB0DF8A144} - blank (file missing)

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    Click on the fix checked button.

    Close HJT.

    Delete all files in AVG Antispyware quarantine.

    Reboot your system.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you had followed the instructions in this link HERE, you would have seen links to extremely good free Antivirus and firewall programme as well as AVG Antispyware, which you now say you like.

    The AVG Antispyware programme will carry on working after the trial is over, you`ll just lose one or two features that`s all. You`ll still be able to update it and scan your system with it.

    Fixing an entry in HJT doesn`t necessarily get rid of an infection as you found out. That`s why it`s important for you to follow instructions.

    HJT is mainly used to identify an infection rather than get rid of it.

    Here is a list of programmes I recommend for your system security.

    AVG free or Avast antivirus programmes.

    Zonealarm or Kerio free firewall programmes.

    Spybot Search & Destroy.

    Ad-Aware se personal.

    Spyware Blaster.

    AVG Antispyware.

    Ccleaner.

    You might also want to take a look at this thread HERE. It will show you how you can keep your system more secure.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of HiJackThis1.99 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.