Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
17 Posts
Discussion Starter · #1 ·
Things have been running like ****, winamp becoming nonresponsive, slowed reactions, etc.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:49:08 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\DELL\drivers\R34790\Mouse\SETUP\MSH\Mouse\point32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Documents and Settings\Chase\My Documents\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\geede.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [POINTER] C:\DELL\drivers\R34790\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B743A289-E589-4DDE-8FF1-8C906856F28D} - http://secure5.trustcast.com/history_installers/trustcast_installer.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll
O20 - Winlogon Notify: ssqpn - C:\WINDOWS\system32\ssqpn.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Security Team (ret.)
Joined
·
7,403 Posts
Hi
You have a little Vundo nasty in here.

It maybe best if you print out these instructions.


Please downloadVundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files

This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode by continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning and a list of forums to seek help at.
it should look like this

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
Now press enter one time.
You will now see:


Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
Then please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\geede.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
.
At this point please type the following file path (make sure to enter it exactly as below!) This will be the vundo filename spelt backwards.

C:\WINDOWS\system32\edeeg.dll



Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll
O20 - Winlogon Notify: ssqpn - C:\WINDOWS\system32\ssqpn.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll



--------------------------------------------------------------------
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
----------------------------------------------

Post a new HJT log and the vundofix.txt file as there will be could be more cleaning to be done.
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #3 ·
========================================

============================
Log was analyzed using KRC HijackThis

Analyzer - Updated on 9/28/05
Get updates at

http://www.greyknight17.com/download.htm

#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Norton Internet

Security\ISSVC.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet

Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
O2 - BHO: Norton Internet Security -

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} -

C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-

42AD-A544-FADC6B084872} - C:\Program

Files\Norton Internet Security\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security -

{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -

C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec

Shared\ccApp.exe"
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy

(ccProxy) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password

Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec

Corporation - C:\Program Files\Norton

Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-

Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton

Internet Security\Norton

AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program Files\Norton

Internet Security\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service

(SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1

\SBServ.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc

(SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC -

Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD

-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:20:43 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\PROGRA~1\NORTON~3\NORTON~1

\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1

\NOPDB.EXE
C:\DELL\drivers\R34790

\Mouse\SETUP\MSH\Mouse\point32.exe
C:\Program Files\Lexmark X74-X75

\lxbbbmgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Lexmark X74-X75

\lxbbbmon.exe
C:\Documents and Settings\Chase\My

Documents\Programs\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Windows\CurrentV

ersion\Internet Settings,ProxyOverride =

localhost
O2 - BHO: MSEvents Object - {827DC836-

DD9F-4A68-A602-5812EB50A834} -

C:\WINDOWS\system32\jkhfd.dll
O4 - HKLM\..\Run: [Symantec NetDriver

Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [QD FastAndSafe]

"C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [POINTER]

C:\DELL\drivers\R34790

\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75]

"C:\Program Files\Lexmark X74-X75

\lxbbbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper]

"C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Norton SystemWorks]

"C:\Program Files\Norton

SystemWorks\cfgwiz.exe" /GUID {05858CFD

-5CC4-4ceb-AAAF-CF00BF39736A} /MODE

CfgWiz
O4 - HKCU\..\Run:

[PopUpStopperFreeEdition] "C:\PROGRA~1

\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Startup: Webshots.lnk = C:\Program

Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1

\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {01A88BB1-1174-41EC-ACCB-

963509EAE56B} (SysProWmi Class) -

https://support.dell.com/systemprofiler/

SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-

0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-

C7C580BBF700} (Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlink/?

linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-

2D05CB959537} (MSN Photo Upload Tool) -

http://by19fd.bay19.hotmail.msn.com/reso

urces/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-

5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/2004

0427/qtinstall.info.apple.com/saba/us/wi

n/QuickTimeInstaller.exe
O16 - DPF: {B743A289-E589-4DDE-8FF1-

8C906856F28D} -

http://secure5.trustcast.com/history_ins

tallers/trustcast_installer.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-

398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.co

m/dl/installs/suite/autocomplete.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-

743C63F2E5E6} (IWinAmpActiveX Class) -

http://pdl.stream.aol.com/downloads/aol/

unagi/ampx_en_dl.cab
O20 - Winlogon Notify: jkhfd -

C:\WINDOWS\system32\jkhfd.dll
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32

\IDriverT.exe
O23 - Service: Norton Unerase Protection

(NProtectService) - Symantec Corporation

- C:\PROGRA~1\NORTON~3\NORTON~1

\NPROTECT.EXE
O23 - Service: Speed Disk service -

Symantec Corporation - C:\PROGRA~1

\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE


End of KRC HijackThis Analyzer Log.
========================================

============================

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\geede.dll

The second filepath entered was C:\WINDOWS\system32\edeeg.dll

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 232 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\geede.dll Deleted sucessfully.
C:\WINDOWS\system32\edeeg.dll Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
 

·
Security Team (ret.)
Joined
·
7,403 Posts
SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll


Open Windows Explorer and delete the following highlighted file


C:\WINDOWS\system32\jkhfd.dll
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top