View Single Post - Unknown virus or trojan HijackThis log file

edifier · 11-26-2006, 07:31 PM

Before we go any farther, let's flush the restore folder by going to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'. "Reboot" your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

Next, download 'Killbox' here http://www.downloads.subratam.org/KillBox.exe to your desktop.You will need it later in safe mode.

Update AVG Antispyware.

From normal windows, open Vundofix. Right click on the white part in the box and choose 'add more files'. Copy and paste the following lines into this.

C:\WINDOWS\system32\kwugjayx.dll
C:\WINDOWS\system32\wirvufc.dll
C:\WINDOWS\SYSTEM32\ssqpmml.dll

Click Add Files and Remove Vundo and follow the same steps as before.(Save this log).

Once you have completed this, reboot into safemode.

Now this is 'Very Important' as you see one or more of your security programs prevented SmitFraudfix from working.
Disable 'ALL' security programs - AVG antispyware, Trojan Hunter and any other Spyware Programs.

To disable Norton AntiVirus Script Blocking:

Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK.

Now, completely shutdown Norton.

Run SmitfraudFix

* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.Save this log.

Navigate to the following and delete.

C:\Program Files\Network Monitor
C:\WINDOWS\system32\SKS~1
C:\WINDOWS\TW9t

If these won't delete, add them in with the entries below.

Run Killbox from safe mode. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button"
Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drvwot.dll
C:\WINDOWS\system32\jezmesh.dll
C:\WINDOWS\SYSTEM32\wingsa32.dll

Next in Killbox go to File > Paste from clipboard
"Click on the All Files button."
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot. If the computer does not reboot automatically just reboot it manually.

Reboot to safe mode once again.

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\kwugjayx.dll
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {5A2E75EF-E324-4CFB-BA85-40D522770567} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\system32\ssqpmml.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwot.dll,startup
O4 - HKLM\..\Run: [jezmesh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jezmesh.dll,zadrarc
O4 - HKCU\..\Run: [Etrh] "C:\WINDOWS\system32\SKS~1\services.exe" -vt yazb
O20 - Winlogon Notify: ssqpmml - C:\WINDOWS\SYSTEM32\ssqpmml.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Run AVG Antispyware again and delete what it finds. Save this log.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use firefox also, select at top of ATF cleaner-tick Select all and run again.

Reboot into normal windows, run ATF cleaner again and post a new 'HJT' log along with the Vundofix log and safemode scan logs from AVG Antispyware and SmitFraudFix.

11-26-2006, 07:31 PM	#9 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Before we go any farther, let's flush the restore folder by going to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'. "Reboot" your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'. Next, download 'Killbox' here http://www.downloads.subratam.org/KillBox.exe to your desktop.You will need it later in safe mode. Update AVG Antispyware. From normal windows, open Vundofix. Right click on the white part in the box and choose 'add more files'. Copy and paste the following lines into this. C:\WINDOWS\system32\kwugjayx.dll C:\WINDOWS\system32\wirvufc.dll C:\WINDOWS\SYSTEM32\ssqpmml.dll Click Add Files and Remove Vundo and follow the same steps as before.(Save this log). Once you have completed this, reboot into safemode. Now this is 'Very Important' as you see one or more of your security programs prevented SmitFraudfix from working. Disable 'ALL' security programs - AVG antispyware, Trojan Hunter and any other Spyware Programs. To disable Norton AntiVirus Script Blocking: Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program. Click Options. If you see a menu, click Norton AntiVirus. In the left pane, click Script Blocking. In the right pane, uncheck Enable Script Blocking (recommended). Click OK. Now, completely shutdown Norton. Run SmitfraudFix * Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. * Select option #2 - Clean by typing 2 and press Enter. * Wait for the tool to complete and disk cleanup to finish. * You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. * The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.Save this log. Navigate to the following and delete. C:\Program Files\Network Monitor C:\WINDOWS\system32\SKS~1 C:\WINDOWS\TW9t If these won't delete, add them in with the entries below. Run Killbox from safe mode. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button" Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\drvwot.dll C:\WINDOWS\system32\jezmesh.dll C:\WINDOWS\SYSTEM32\wingsa32.dll Next in Killbox go to File > Paste from clipboard "Click on the All Files button." Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now. Click Yes and let the computer reboot. If the computer does not reboot automatically just reboot it manually. Reboot to safe mode once again. From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked' O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\kwugjayx.dll O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll O2 - BHO: (no name) - {5A2E75EF-E324-4CFB-BA85-40D522770567} - C:\WINDOWS\system32\ddabx.dll (file missing) O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\system32\ssqpmml.dll O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwot.dll,startup O4 - HKLM\..\Run: [jezmesh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jezmesh.dll,zadrarc O4 - HKCU\..\Run: [Etrh] "C:\WINDOWS\system32\SKS~1\services.exe" -vt yazb O20 - Winlogon Notify: ssqpmml - C:\WINDOWS\SYSTEM32\ssqpmml.dll O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9t\command.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) Run AVG Antispyware again and delete what it finds. Save this log. Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use firefox also, select at top of ATF cleaner-tick Select all and run again. Reboot into normal windows, run ATF cleaner again and post a new 'HJT' log along with the Vundofix log and safemode scan logs from AVG Antispyware and SmitFraudFix.