TechSpot

Need some help - HJT logfile attached

By tomos
Jun 13, 2007
  1. Would somebody please be so kind as to take a look at this log file from my latest HJT scan?
     
  2. MMDominator88

    MMDominator88 TS Rookie Posts: 119

    DO NOT DO ANY OF THESE STEPS UNTIL GETTING CONFIRMATION FROM HOWARD OR MOMOK

    fix these entries

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)

    and it looks like you have the Vundo virus infection, go read this article and follow all the instructions...http://www.techspot.com/vb/topic58138.html
     
  3. momok

    momok TS Rookie Posts: 2,265

    Hi tomos and welcome to techspot. =)

    You should fix those entries as suggested by MMDominator88. However there's more you should do. Please follow these instructions carefully.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    WB5Hack
    CTDrive
    SManager
    irkzazsv.exe
    avp
    GPLv3
    svchost.exe


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    SManager

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://upitfree.com/v2/out.php/i627_ft.png
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {BA4B7BE8-99F0-42D1-BEEC-DACF339D1DBA} - C:\windows\system32\vtutt.dll
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\windows\system32\pjmwtfpw.dll
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O4 - HKLM\..\Run: [WB5Hack] HackIt.cmd < this may or may not be nasty. I wouldnt trust it. It looks like a hack for the new version of Windowblinds. But if you delete this entry, it may kill Windowblinds.
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkiz.dll,startup
    O4 - HKLM\..\Run: [SManager] smanager.7.exe
    O4 - HKLM\..\Run: [irkzazsv.exe] C:\Documents and Settings\All Users\Application Data\irkzazsv.exe
    O4 - HKLM\..\Run: [avp] C:\windows\avp.exe
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\windows\system32\fcksedvh.dll",realset
    O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\windows\svchost.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
    O20 - Winlogon Notify: oppqqpm - oppqqpm.dll (file missing)
    O20 - Winlogon Notify: vtutt - C:\windows\system32\vtutt.dll
    O20 - Winlogon Notify: winuwi32 - C:\windows\SYSTEM32\winuwi32.dll

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\windows\system32\vtutt.dll
    C:\windows\system32\pjmwtfpw.dll
    C:\windows\SYSTEM32\winuwi32.dll
    C:\windows\system32\fcksedvh.dll
    C:\windows\smanager.7.exe
    C:\windows\avp.exe
    C:\Documents and Settings\All Users\Application Data\irkzazsv.exe

    Also search for hackit.cmd and delete it.

    Reboot into normal mode and rehide your protected OS files.

    Continue with the instructions as given by MMDominator88.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.

    Also let me know the results of the AVG Anti Rootkit scan.


    Regards,
    Your friendly momok =)

    This thread is for the use of tomos only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...