Need some help - HJT logfile attached
- Thread starter tomos
- Start date
- Status
MMDominator88
Posts: 118 +0
DO NOT DO ANY OF THESE STEPS UNTIL GETTING CONFIRMATION FROM HOWARD OR MOMOK
fix these entries
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)
and it looks like you have the Vundo virus infection, go read this article and follow all the instructions...https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
fix these entries
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)
and it looks like you have the Vundo virus infection, go read this article and follow all the instructions...https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
momok
Posts: 2,127 +6
Hi tomos and welcome to techspot. =)
You should fix those entries as suggested by MMDominator88. However there's more you should do. Please follow these instructions carefully.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
WB5Hack
CTDrive
SManager
irkzazsv.exe
avp
GPLv3
svchost.exe
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
SManager
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://upitfree.com/v2/out.php/i627_ft.png
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BA4B7BE8-99F0-42D1-BEEC-DACF339D1DBA} - C:\windows\system32\vtutt.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\windows\system32\pjmwtfpw.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [WB5Hack] HackIt.cmd < this may or may not be nasty. I wouldnt trust it. It looks like a hack for the new version of Windowblinds. But if you delete this entry, it may kill Windowblinds.
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkiz.dll,startup
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [irkzazsv.exe] C:\Documents and Settings\All Users\Application Data\irkzazsv.exe
O4 - HKLM\..\Run: [avp] C:\windows\avp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\windows\system32\fcksedvh.dll",realset
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\windows\svchost.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\windows\system32\vtutt.dll
O20 - Winlogon Notify: winuwi32 - C:\windows\SYSTEM32\winuwi32.dll
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\windows\system32\vtutt.dll
C:\windows\system32\pjmwtfpw.dll
C:\windows\SYSTEM32\winuwi32.dll
C:\windows\system32\fcksedvh.dll
C:\windows\smanager.7.exe
C:\windows\avp.exe
C:\Documents and Settings\All Users\Application Data\irkzazsv.exe
Also search for hackit.cmd and delete it.
Reboot into normal mode and rehide your protected OS files.
Continue with the instructions as given by MMDominator88.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.
Also let me know the results of the AVG Anti Rootkit scan.
Regards,
Your friendly momok =)
This thread is for the use of tomos only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You should fix those entries as suggested by MMDominator88. However there's more you should do. Please follow these instructions carefully.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
WB5Hack
CTDrive
SManager
irkzazsv.exe
avp
GPLv3
svchost.exe
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
SManager
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://upitfree.com/v2/out.php/i627_ft.png
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BA4B7BE8-99F0-42D1-BEEC-DACF339D1DBA} - C:\windows\system32\vtutt.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\windows\system32\pjmwtfpw.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [WB5Hack] HackIt.cmd < this may or may not be nasty. I wouldnt trust it. It looks like a hack for the new version of Windowblinds. But if you delete this entry, it may kill Windowblinds.
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkiz.dll,startup
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [irkzazsv.exe] C:\Documents and Settings\All Users\Application Data\irkzazsv.exe
O4 - HKLM\..\Run: [avp] C:\windows\avp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\windows\system32\fcksedvh.dll",realset
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\windows\svchost.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\windows\system32\vtutt.dll
O20 - Winlogon Notify: winuwi32 - C:\windows\SYSTEM32\winuwi32.dll
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\windows\system32\vtutt.dll
C:\windows\system32\pjmwtfpw.dll
C:\windows\SYSTEM32\winuwi32.dll
C:\windows\system32\fcksedvh.dll
C:\windows\smanager.7.exe
C:\windows\avp.exe
C:\Documents and Settings\All Users\Application Data\irkzazsv.exe
Also search for hackit.cmd and delete it.
Reboot into normal mode and rehide your protected OS files.
Continue with the instructions as given by MMDominator88.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.
Also let me know the results of the AVG Anti Rootkit scan.
Regards,
Your friendly momok =)
This thread is for the use of tomos only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
