Hakavuhop Virus Help

alixthedark · 11-27-2009, 02:26 PM

Ok. So, I have a virus on my computer. The only file that I can find related to the virus is hakavuhop.dll and it is located in the System32 directory. It is also in the startup in msconfig. I have tried stopping it from starting but it always resets my changes. I have also deleted the reg key and the actual file and it keeps coming back which leads to my believing that there are probably a few other files related to it on my computer and it is set up as a decoy. If anyone else has had this please could you help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:36 PM, on 11/27/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Windows\system32\msconfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [hakavuhop] Rundll32.exe "c:\windows\system32\gijabawu.dll",a
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [AlarmWiz] C:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3418695299-734488202-1628526013-1000\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [aveype] RUNDLL32.EXE C:\Windows\TEMP\mslcpezt.dll,w (User '?')
O4 - HKUS\.DEFAULT\..\Run: [aveype] RUNDLL32.EXE C:\Windows\TEMP\mslcpezt.dll,w (User 'Default user')
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll,tohapuva.dll
O21 - SSODL: nabarefug - {eed354b7-f75b-4f2c-9dec-625f4d813d12} - c:\windows\system32\gijabawu.dll (file missing)
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\Program Files\Stardock\Object Desktop\DeskScapes3\deskscapes.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {eed354b7-f75b-4f2c-9dec-625f4d813d12} - c:\windows\system32\gijabawu.dll (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4345 bytes

**Glaswegian** · 11-27-2009, 02:35 PM

Hi and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance.

http://www.techsupportforum.com/secu...oval-help.html

If you have problems with any of the steps, simply move on to the next one and make a note of the problem in your reply.

Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply - it may take a few days.

This thread will now be closed.

11-27-2009, 02:26 PM	#1 (permalink)
alixthedark Registered User Join Date: Nov 2009 Posts: 1 OS: Vista (eww)	Ok. So, I have a virus on my computer. The only file that I can find related to the virus is hakavuhop.dll and it is located in the System32 directory. It is also in the startup in msconfig. I have tried stopping it from starting but it always resets my changes. I have also deleted the reg key and the actual file and it keeps coming back which leads to my believing that there are probably a few other files related to it on my computer and it is set up as a decoy. If anyone else has had this please could you help me? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:30:36 PM, on 11/27/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\Windows\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Windows\system32\taskeng.exe C:\Program Files\Java\jre6\bin\javaw.exe C:\Windows\system32\msconfig.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\alix\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup O4 - HKLM\..\Run: [hakavuhop] Rundll32.exe "c:\windows\system32\gijabawu.dll",a O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [AlarmWiz] C:\Program Files\AlarmWiz\alarmwiz.exe startup O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?') O4 - HKUS\S-1-5-21-3418695299-734488202-1628526013-1000\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" (User '?') O4 - HKUS\S-1-5-18\..\Run: [aveype] RUNDLL32.EXE C:\Windows\TEMP\mslcpezt.dll,w (User '?') O4 - HKUS\.DEFAULT\..\Run: [aveype] RUNDLL32.EXE C:\Windows\TEMP\mslcpezt.dll,w (User 'Default user') O13 - Gopher Prefix: O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll,tohapuva.dll O21 - SSODL: nabarefug - {eed354b7-f75b-4f2c-9dec-625f4d813d12} - c:\windows\system32\gijabawu.dll (file missing) O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\Program Files\Stardock\Object Desktop\DeskScapes3\deskscapes.dll (file missing) O22 - SharedTaskScheduler: tokatiluy - {eed354b7-f75b-4f2c-9dec-625f4d813d12} - c:\windows\system32\gijabawu.dll (file missing) O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 4345 bytes Last edited by Glaswegian; 11-27-2009 at 02:33 PM. Reason: Merged posts to preserve zero replies

11-27-2009, 02:35 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 26,378 OS: Win XP Pro SP3 / Win 7 Pro My System	Re: Hakavuhop Virus Help Hi and welcome to TSF. We want all our members to perform the steps outlined in the link given below, before posting for assistance. http://www.techsupportforum.com/secu...oval-help.html If you have problems with any of the steps, simply move on to the next one and make a note of the problem in your reply. Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply - it may take a few days. This thread will now be closed. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner