Wilders Security Forums  

Go Back   Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning
Reload this Page need Help
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Spyware Cleaning Section Closed!!
Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services.
 
 
Thread Tools Search this Thread
  #1  
Old July 18th, 2004, 11:04 PM
Tokiya Tokiya is offline
Infrequent Poster
  
Join Date: Jul 2004
Posts: 6
Default need Help
May i know what is the RunDDL32.exe and Vboxm.dll .. which is runing on my Pc .. is it a trajons or wormy ??

heres my log

Logfile of HijackThis v1.97.7
Scan saved at 6:00:56 AM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\ZTE\ADSLDIAL\adslDial.exe
C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\Wizard\KoreEasy.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna001,Yuna~chan\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna002,~Miduki~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna003,Tokiya\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna004,Yuna~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna005,Huriko\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna007 ,~Genko~\modKore-Hybrid.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\wanshan88 , ~Tokiya~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob34 , ~Midori\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob12 ,~Midori~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\doppel\KoreC-Final.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Huriko , ~Yanagi~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\toon0129 , Doppelganger\modKore-Hybrid.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Common Files\Vbox\Common\vboxm.dll
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\oem\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Microsoft Update] esplorer.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [JA Cfg Util v2] jacfg2.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binari..._1017_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93F8CC08-10AE-44F1-A5B2-2E1CF2B2E8DC}: NameServer = 202.188.0.133 202.188.1.5
  #2  
Old July 19th, 2004, 04:00 AM
TonyKlein's Avatar
TonyKlein TonyKlein is offline
Security Expert
  
Join Date: Feb 2002
Location: The Netherlands
Posts: 3,947
Default Re: need Help
Rundll32.exe is a Windows system file, but jacfg2.exe is indicative of this trojan:

http://uk.trendmicro-europe.com/ente...me=BKDR_RBOT.C

Do the following: in Hijack This, check all of the following items, then close all browser windows, and press "Fix Checked":

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Microsoft Update] esplorer.exe
O4 - HKLM\..\RunServices: [JA Cfg Util v2] jacfg2.exe

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binari..._1017_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab

Now restart your computer, and delete the C:\WINDOWS\vsnpstd.exe file.
If you still find jacfg2.exe anywhere, make sure you delete that one as well.


NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

When done, reboot, and post a fresh log.
__________________
Tony < > CLSID List - A Collection of Autostart Locations
  #3  
Old August 5th, 2004, 07:46 AM
Tokiya Tokiya is offline
Infrequent Poster
  
Join Date: Jul 2004
Posts: 6
Default Re: need Help
Thanks Alot Dude ..
  #4  
Old August 6th, 2004, 08:00 AM
Tokiya Tokiya is offline
Infrequent Poster
  
Join Date: Jul 2004
Posts: 6
Default Re: need Help
sorry very busy those days >.< fixed it ... but there are some new programs runing on my pc .. and i am not sure about it .. can u cheak it one more time =X thanks alot ^^

Logfile of HijackThis v1.98.1
Scan saved at 19:59:23, on 06/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ZTE\ADSLDIAL\adslDial.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\oem\Desktop\HijackThis1981.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93F8CC08-10AE-44F1-A5B2-2E1CF2B2E8DC}: NameServer = 202.188.0.133 202.188.1.5
  #5  
Old August 6th, 2004, 03:18 PM
TonyKlein's Avatar
TonyKlein TonyKlein is offline
Security Expert
  
Join Date: Feb 2002
Location: The Netherlands
Posts: 3,947
Default Re: need Help
Nothing the matter here...

Just have the following item fixed:

R3 - Default URLSearchHook is missing
__________________
Tony < > CLSID List - A Collection of Autostart Locations
 

Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 08:31 AM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums