Please Help Me.

sand529 · 04-28-2005, 06:45 AM

I've run antivirus, hijack this, adaware, spybot search & destory and every program located at http://forums.majorgeeks.com/showthread.php?t=35407 and still are having problems. Here is my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:12 AM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bill Murphy\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\vmmaml.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094933918203
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help would be greatly appreciated.

**POADB** · 04-28-2005, 07:08 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\system32\vmmaml.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\unauo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe
O9 - Extra button: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU)

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\vmmaml.exe
C:\WINDOWS\unauo.dll

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

FYI - KavSvc - is a very tricky infection. At the moment however, there are elements associated with this infection that are missing from your log. You may be lucky - but I'm taking no chances. Please do the following NOW:

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.

sand529 · 04-28-2005, 07:27 AM

I will try all you suggested as soon as I get home from work tonight. Yeserday I tried to run Aboutbuster a few times. After it does the initial scan, it says something about shutting down explorer.exe and starts another scan, however, when it gets to about 7% it hangs/goes very very very slow and never finishes. It seems to first get stuck on a file called hire or hires.dll, and when i manually dele this file it just reappears again. I think the location of the file is c:\windows\hires.dll.

thanks

sand529 · 04-28-2005, 07:44 PM

Here it is:

C:\Documents and Settings\Bill Murphy\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\appop.dll: UPX!
C:\WINDOWS\SYSTEM32\pbbgb.dat: UPX!
C:\WINDOWS\SYSTEM32\vmmaml.exe: UPX!
C:\WINDOWS\SYSTEM32\winup2date.dll: UPX!
C:\WINDOWS\SYSTEM32\wmconfig.cpl: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\SYSTEM32\srpcsrv32.dll: PEC2

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppu.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\qoolrem.exe: UPX!
Finished
bye

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 5CF5-591C

Directory of C:\WINDOWS\SYSTEM32

msgk.dll
mshz.dll
msi.dll
msmi.dll
mstx.dll
msva.dll
mswj.dll
msyg.dll
msyk.dll
Finished

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:29:51 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\vmmaml.exe
C:\Documents and Settings\Bill Murphy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094933918203
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**POADB** · 04-29-2005, 01:12 AM

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM32\appop.dll
C:\WINDOWS\SYSTEM32\pbbgb.dat
C:\WINDOWS\SYSTEM32\vmmaml.exe
C:\WINDOWS\SYSTEM32\winup2date.dll
C:\WINDOWS\SYSTEM32\wmconfig.cpl
C:\WINDOWS\SYSTEM32\srpcsrv32.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppu.exe
C:\WINDOWS\qoolrem.exe
C:\WINDOWS\SYSTEM32\msgk.dll
C:\WINDOWS\SYSTEM32\mshz.dll
C:\WINDOWS\SYSTEM32\msmi.dll
C:\WINDOWS\SYSTEM32\mstx.dll
C:\WINDOWS\SYSTEM32\msva.dll
C:\WINDOWS\SYSTEM32\mswj.dll
C:\WINDOWS\SYSTEM32\msyg.dll
C:\WINDOWS\SYSTEM32\msyk.dll

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\SYSTEM32\vmmaml.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Run Adawre and Spybot - the links are in my sig if you do not all ready have them.

When done - Do the scans again, in the order you previously run them (Rkfiles, HJT)

post your results when complete.

G'luck

04-28-2005, 06:45 AM	#1 (permalink)
sand529 Registered User Join Date: Apr 2005 Posts: 12 OS: XP	Please Help Me. I've run antivirus, hijack this, adaware, spybot search & destory and every program located at http://forums.majorgeeks.com/showthread.php?t=35407 and still are having problems. Here is my latest log: Logfile of HijackThis v1.99.1 Scan saved at 7:11:12 AM, on 4/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bill Murphy\Desktop\hijackthis\HijackThis.exe C:\WINDOWS\system32\vmmaml.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R3 - Default URLSearchHook is missing O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU) O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094933918203 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Any help would be greatly appreciated.

04-28-2005, 07:08 AM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,209 OS: XP SP2	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now. Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\system32\vmmaml.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\unauo.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe O9 - Extra button: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1421D99E-F7A2-41F2-A161-1DDF91716433} - (no file) (HKCU) Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\vmmaml.exe C:\WINDOWS\unauo.dll Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. FYI - KavSvc - is a very tricky infection. At the moment however, there are elements associated with this infection that are missing from your log. You may be lucky - but I'm taking no chances. Please do the following NOW: Download and install CleanUp http://cleanup.stevengould.org/ Download KillBox http://www.atribune.org/downloads/KillBox.exe Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop. Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Run CleanUp program now and logoff. REBOOT TO SAFE MODE. These tools MUST be run in safe mode! Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post. __________________ Last edited by POADB : 04-28-2005 at 07:10 AM.

04-29-2005, 01:12 AM	#5 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,209 OS: XP SP2	Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\appop.dll C:\WINDOWS\SYSTEM32\pbbgb.dat C:\WINDOWS\SYSTEM32\vmmaml.exe C:\WINDOWS\SYSTEM32\winup2date.dll C:\WINDOWS\SYSTEM32\wmconfig.cpl C:\WINDOWS\SYSTEM32\srpcsrv32.dll C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppu.exe C:\WINDOWS\qoolrem.exe C:\WINDOWS\SYSTEM32\msgk.dll C:\WINDOWS\SYSTEM32\mshz.dll C:\WINDOWS\SYSTEM32\msmi.dll C:\WINDOWS\SYSTEM32\mstx.dll C:\WINDOWS\SYSTEM32\msva.dll C:\WINDOWS\SYSTEM32\mswj.dll C:\WINDOWS\SYSTEM32\msyg.dll C:\WINDOWS\SYSTEM32\msyk.dll Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\SYSTEM32\vmmaml.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Run Adawre and Spybot - the links are in my sig if you do not all ready have them. When done - Do the scans again, in the order you previously run them (Rkfiles, HJT) post your results when complete. G'luck __________________

04-28-2005, 07:27 AM	#3 (permalink)
sand529 Registered User Join Date: Apr 2005 Posts: 12 OS: XP	I will try all you suggested as soon as I get home from work tonight. Yeserday I tried to run Aboutbuster a few times. After it does the initial scan, it says something about shutting down explorer.exe and starts another scan, however, when it gets to about 7% it hangs/goes very very very slow and never finishes. It seems to first get stuck on a file called hire or hires.dll, and when i manually dele this file it just reappears again. I think the location of the file is c:\windows\hires.dll. thanks

04-28-2005, 07:44 PM	#4 (permalink)
sand529 Registered User Join Date: Apr 2005 Posts: 12 OS: XP	Here it is: C:\Documents and Settings\Bill Murphy\Desktop\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\appop.dll: UPX! C:\WINDOWS\SYSTEM32\pbbgb.dat: UPX! C:\WINDOWS\SYSTEM32\vmmaml.exe: UPX! C:\WINDOWS\SYSTEM32\winup2date.dll: UPX! C:\WINDOWS\SYSTEM32\wmconfig.cpl: UPX! C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\SYSTEM32\srpcsrv32.dll: PEC2 Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppu.exe: UPX! Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\qoolrem.exe: UPX! Finished bye Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 5CF5-591C Directory of C:\WINDOWS\SYSTEM32 msgk.dll mshz.dll msi.dll msmi.dll mstx.dll msva.dll mswj.dll msyg.dll msyk.dll Finished Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:29:51 PM, on 4/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\vmmaml.exe C:\Documents and Settings\Bill Murphy\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmaml.exe O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094933918203 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ====================================================================