Explorer being assaulted by trojan

[Richenstony]

hi  mycomp. you might want to get superantispyware install reboot into safe mode and do a full scan then start run and enter chkdsk /f ( notice the space between the k and the /f ) press ok

a box will pop up and ask to run on next reboot enter y and press enter, then restart and let it run.

when you get back into normal mode try this online scanner

remove anything found and right down any vulnerabilities it finds.

report back on the vulnerabilities and any infection it finds.


these don't look friendly i can't find anything on them.
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ihhpwfge.dll",forkonce

O4 - HKLM\..\Run: [lich] lich.exe

MemoryManager do you know what program this is?


thoses are just some things i picked out, lets wait for fed dl65 or cbmatt to reply on the hjt log, but try my other suggestions and see oh they work out.

try this stuff yet

Was that a bump unloved hehe 

[mycompisbroke]

Did I miss something?

[Richenstony]

Did I miss something?

yh go back to the other page he was asking to to try sumin.......

[unlovedwarrior]

hi  mycomp. you might want to get superantispyware install reboot into safe mode and do a full scan then start run and enter chkdsk /f ( notice the space between the k and the /f ) press ok

a box will pop up and ask to run on next reboot enter y and press enter, then restart and let it run.

when you get back into normal mode try this online scanner

remove anything found and right down any vulnerabilities it finds.

report back on the vulnerabilities and any infection it finds.


these don't look friendly i can't find anything on them.
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ihhpwfge.dll",forkonce

O4 - HKLM\..\Run: [lich] lich.exe

MemoryManager do you know what program this is?


thoses are just some things i picked out, lets wait for fed dl65 or cbmatt to reply on the hjt log, but try my other suggestions and see oh they work out.

try this stuff yet

Was that a bump unloved hehe 

nope just asking if he/she tried those things yet

[mycompisbroke]

All the adware and the worm randomly stoped all of the sudden . For the past week everytime I open a page i got a pop up but not for the past 25 pagesish. hmmmm

[CBMatt]

This thread is becoming a bit of a mess.  Hang tight and I'll get back to you with an anaylsis of your log in a few minutes.

[CBMatt]

Alrighty...you've got a few nasties, but we should be able to get this all sorted out.  First, let's take care of your Vundo infection...

1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files.  Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file.  Please locate this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file.  Please locate this file and paste the contents in your next post.


Now, let's take a look at your log...  Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\msiexec.exe

O2 - BHO: (no name) - {6064348C-FF1E-42B3-A90A-4B35AF0AB67E} - C:\WINDOWS\system32\jkklj.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\cbxyaax.dll

O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\Travis\My Documents\My Videos\WinAntiVirusPro2007FreeInstall.exe" -nag
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ihhpwfge.dll",forkonce

O15 - Trusted Zone: *.stumbleupon.com
(This site is safe, but it's always best to not allow a site into your Trusted Zone.)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetu p1.0.0.15.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab

O20 - Winlogon Notify: cbxyaax - C:\WINDOWS\SYSTEM32\cbxyaax.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
(You have LimeWire.  The program itself isn't considered malicious, but it the programs/files downloaded through this client may be unsafe, and are likely contributors to your infection.  Many downloads are also considered illegal, as they infringe on copyright laws.  You don't have to delete this, but it is strongly advised.)

O17 - HKLM\System\CCS\Services\Tcpip\..\{EBE3764D-FAD0-4AC0-9E4D-0B10C70E8BE1}: NameServer = 207.69.188.187 207.69.188.186
(If this isn't your ISP, you should fix this.)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

SystemDoctor 2006 Free
LimeWire  (You don't have to remove this, but it is advised.)

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\SystemDoctor 2006 Free
C:\Program Files\LimeWire  (You don't have to remove this, but it is advised.)

Navigate to and delete the following file(s) if present...

C:\Documents and Settings\Travis\My Documents\My Videos\WinAntiVirusPro2007FreeInstall.exe
C:\WINDOWS\system32\cbxyaax.dll
C:\WINDOWS\system32\ihhpwfge.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\lich.exe

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log (along with the Vundo logs) so we can see if there's any other junk we need to clean up.  Let me know how everything's running now and if you had any problems following my steps.

[mycompisbroke]

A few nasties? Looks like a LOT of nasties. I had vundo last month. <_< Oh well. I'll fix the vundo now and get rid of the other stuff after summer school.

[mycompisbroke]

Vundoo = pwnzored . I'll do the other vundoo one and i'll delete the other stuff later.



VundoFix V4.2.57

Checking Java version...

Java version is 1.4.2.3

Scan started at 1:12:16 PM 4/8/2006

Listing files found while scanning....

C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.tmp

C:\WINDOWS\SYSTEM32\abeeg.bak1
C:\WINDOWS\SYSTEM32\abeeg.bak2
C:\WINDOWS\SYSTEM32\abeeg.tmp
C:\WINDOWS\SYSTEM32\abeeg.ini
C:\WINDOWS\SYSTEM32\abeeg.ini2
C:\WINDOWS\SYSTEM32\geeba.dll
C:\WINDOWS\SYSTEM32\abeeg.ini2
C:\WINDOWS\SYSTEM32\abeeg.bak2
C:\WINDOWS\SYSTEM32\abeeg.tmp
C:\WINDOWS\SYSTEM32\abeeg.ini
C:\WINDOWS\SYSTEM32\abeeg.ini2
C:\WINDOWS\SYSTEM32\geeba.dll
 Attempting to delete C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\abeeg.tmp
C:\WINDOWS\system32\abeeg.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:27:53 AM 7/26/2007

Listing files found while scanning....

C:\windows\system32\aplecerd.exe
C:\windows\system32\awtuuuu.dll
C:\WINDOWS\system32\cbxyaax.dll
C:\windows\system32\cqiqpnij.ini
C:\windows\system32\dbciksyk.dll
C:\windows\system32\evdyhlpx.dll
C:\windows\system32\fmqhqajf.exe
C:\windows\system32\hwoxnjpe.dll
C:\windows\system32\iktbeibl.exe
C:\windows\system32\jinpqiqc.dll
C:\WINDOWS\system32\jkklj.dll
C:\windows\system32\jkplfdeu.dll
C:\windows\system32\jlkkj.bak1
C:\windows\system32\jlkkj.bak2
C:\windows\system32\jlkkj.ini
C:\windows\system32\jlkkj.ini2
C:\windows\system32\jlkkj.tmp
C:\windows\system32\jonmokqa.exe
C:\windows\system32\kqgiiolw.dll
C:\windows\system32\krevceny.dll
C:\windows\system32\kyskicbd.ini
C:\windows\system32\lvgjgaep.dll
C:\windows\system32\lwiroqhi.exe
C:\windows\system32\mqiajual.dll
C:\windows\system32\nbgwvxgb.exe
C:\windows\system32\nlqglnnm.dll
C:\windows\system32\npjsdgtv.exe
C:\windows\system32\oxsogaqt.dll
C:\windows\system32\puattols.dll
C:\windows\system32\pwltnsla.dll
C:\windows\system32\qrpqefxy.exe
C:\windows\system32\ssqppop.dll
C:\windows\system32\stxtgylf.exe
C:\windows\system32\sveodjie.exe
C:\windows\system32\tbbapsby.dll
C:\windows\system32\twbdqxit.dll
C:\windows\system32\uedflpkj.ini
C:\windows\system32\ujvambyv.dll
C:\windows\system32\utewrlas.dll
C:\windows\system32\vashujcv.dll
C:\windows\system32\viygycub.exe
C:\windows\system32\vwvoptrd.exe
C:\windows\system32\wloiigqk.ini
C:\windows\system32\xalmklfp.exe
C:\windows\system32\xfitnljw.dll
C:\windows\system32\xkodkctx.exe
C:\windows\system32\yqmjqsgo.dll

Beginning removal...

 Attempting to delete C:\windows\system32\aplecerd.exe
C:\windows\system32\aplecerd.exe Has been deleted!

 Attempting to delete C:\windows\system32\awtuuuu.dll
C:\windows\system32\awtuuuu.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbxyaax.dll
C:\WINDOWS\system32\cbxyaax.dll Could not be deleted.

 Attempting to delete C:\windows\system32\cqiqpnij.ini
C:\windows\system32\cqiqpnij.ini Has been deleted!

 Attempting to delete C:\windows\system32\dbciksyk.dll
C:\windows\system32\dbciksyk.dll Has been deleted!

 Attempting to delete C:\windows\system32\evdyhlpx.dll
C:\windows\system32\evdyhlpx.dll Has been deleted!

 Attempting to delete C:\windows\system32\fmqhqajf.exe
C:\windows\system32\fmqhqajf.exe Has been deleted!

 Attempting to delete C:\windows\system32\hwoxnjpe.dll
C:\windows\system32\hwoxnjpe.dll Has been deleted!

 Attempting to delete C:\windows\system32\iktbeibl.exe
C:\windows\system32\iktbeibl.exe Has been deleted!

 Attempting to delete C:\windows\system32\jinpqiqc.dll
C:\windows\system32\jinpqiqc.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.dll Has been deleted!

 Attempting to delete C:\windows\system32\jkplfdeu.dll
C:\windows\system32\jkplfdeu.dll Has been deleted!

 Attempting to delete C:\windows\system32\jlkkj.bak1
C:\windows\system32\jlkkj.bak1 Has been deleted!

 Attempting to delete C:\windows\system32\jlkkj.bak2
C:\windows\system32\jlkkj.bak2 Has been deleted!

 Attempting to delete C:\windows\system32\jlkkj.ini
C:\windows\system32\jlkkj.ini Has been deleted!

 Attempting to delete C:\windows\system32\jlkkj.ini2
C:\windows\system32\jlkkj.ini2 Has been deleted!

 Attempting to delete C:\windows\system32\jlkkj.tmp
C:\windows\system32\jlkkj.tmp Has been deleted!

 Attempting to delete C:\windows\system32\jonmokqa.exe
C:\windows\system32\jonmokqa.exe Has been deleted!

 Attempting to delete C:\windows\system32\kqgiiolw.dll
C:\windows\system32\kqgiiolw.dll Has been deleted!

 Attempting to delete C:\windows\system32\krevceny.dll
C:\windows\system32\krevceny.dll Has been deleted!

 Attempting to delete C:\windows\system32\kyskicbd.ini
C:\windows\system32\kyskicbd.ini Has been deleted!

 Attempting to delete C:\windows\system32\lvgjgaep.dll
C:\windows\system32\lvgjgaep.dll Has been deleted!

 Attempting to delete C:\windows\system32\lwiroqhi.exe
C:\windows\system32\lwiroqhi.exe Has been deleted!

 Attempting to delete C:\windows\system32\mqiajual.dll
C:\windows\system32\mqiajual.dll Has been deleted!

 Attempting to delete C:\windows\system32\nbgwvxgb.exe
C:\windows\system32\nbgwvxgb.exe Has been deleted!

 Attempting to delete C:\windows\system32\nlqglnnm.dll
C:\windows\system32\nlqglnnm.dll Has been deleted!

 Attempting to delete C:\windows\system32\npjsdgtv.exe
C:\windows\system32\npjsdgtv.exe Could not be deleted.

 Attempting to delete C:\windows\system32\oxsogaqt.dll
C:\windows\system32\oxsogaqt.dll Has been deleted!

 Attempting to delete C:\windows\system32\puattols.dll
C:\windows\system32\puattols.dll Has been deleted!

 Attempting to delete C:\windows\system32\pwltnsla.dll
C:\windows\system32\pwltnsla.dll Has been deleted!

 Attempting to delete C:\windows\system32\qrpqefxy.exe
C:\windows\system32\qrpqefxy.exe Has been deleted!

 Attempting to delete C:\windows\system32\ssqppop.dll
C:\windows\system32\ssqppop.dll Has been deleted!

 Attempting to delete C:\windows\system32\stxtgylf.exe
C:\windows\system32\stxtgylf.exe Has been deleted!

 Attempting to delete C:\windows\system32\sveodjie.exe
C:\windows\system32\sveodjie.exe Has been deleted!

 Attempting to delete C:\windows\system32\tbbapsby.dll
C:\windows\system32\tbbapsby.dll Has been deleted!

 Attempting to delete C:\windows\system32\twbdqxit.dll
C:\windows\system32\twbdqxit.dll Has been deleted!

 Attempting to delete C:\windows\system32\uedflpkj.ini
C:\windows\system32\uedflpkj.ini Has been deleted!

 Attempting to delete C:\windows\system32\ujvambyv.dll
C:\windows\system32\ujvambyv.dll Has been deleted!

 Attempting to delete C:\windows\system32\utewrlas.dll
C:\windows\system32\utewrlas.dll Has been deleted!

 Attempting to delete C:\windows\system32\vashujcv.dll
C:\windows\system32\vashujcv.dll Has been deleted!

 Attempting to delete C:\windows\system32\viygycub.exe
C:\windows\system32\viygycub.exe Has been deleted!

 Attempting to delete C:\windows\system32\vwvoptrd.exe
C:\windows\system32\vwvoptrd.exe Has been deleted!

 Attempting to delete C:\windows\system32\wloiigqk.ini
C:\windows\system32\wloiigqk.ini Has been deleted!

 Attempting to delete C:\windows\system32\xalmklfp.exe
C:\windows\system32\xalmklfp.exe Has been deleted!

 Attempting to delete C:\windows\system32\xfitnljw.dll
C:\windows\system32\xfitnljw.dll Has been deleted!

 Attempting to delete C:\windows\system32\xkodkctx.exe
C:\windows\system32\xkodkctx.exe Has been deleted!

 Attempting to delete C:\windows\system32\yqmjqsgo.dll
C:\windows\system32\yqmjqsgo.dll Has been deleted!

Performing Repairs to the registry.
Done!

[CBMatt]

Sheesh, that's quite the Vundo infection.  Heh.  One of the files couldn't be deleted, so hopefully, the other program will get it.  If not, give VundoFix another try.

I'll be waiting for your next reply and an update on how things are running after following the rest of my instructions.

[unlovedwarrior]

are you tring in safe mode?

[mycompisbroke]

I still cant believe I was dumb enough to instal winantivirus AND systymdocter. <_< Im about to give the 2nd anti vundo program a go.

[unlovedwarrior]

its ok your not the first to fall for it

[mycompisbroke]

Nothing found. <_< I'll do hijackthis later.


[07/26/2007, 12:59:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Travis\My Documents\My Videos\hideme\VirtumundoBeGone.exe" )
[07/26/2007, 12:59:10] - Detected System Information:
[07/26/2007, 12:59:10] -  Windows Version: 5.1.2600, Service Pack 2
[07/26/2007, 12:59:10] -  Current Username: Tommy (Admin)
[07/26/2007, 12:59:10] -  Windows is in NORMAL mode.
[07/26/2007, 12:59:10] - Searching for Browser Helper Objects:
[07/26/2007, 12:59:10] -  BHO 1: {00000000-6C30-11D8-9363-000AE6309654} (SuperAdBlockerBHO Class)
[07/26/2007, 12:59:10] -  BHO 2: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[07/26/2007, 12:59:10] -  BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/26/2007, 12:59:10] -  BHO 4: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
[07/26/2007, 12:59:10] -  BHO 5: {474FEF48-70C8-4511-9D96-698999AD6404} ()
[07/26/2007, 12:59:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 12:59:10] -  Checking for HKLM\...\Winlogon\Notify\jkklj
[07/26/2007, 12:59:10] -  Key not found: HKLM\...\Winlogon\Notify\jkklj, continuing.
[07/26/2007, 12:59:10] -  BHO 6: {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} (PnIEBrowserHelperObj Class)
[07/26/2007, 12:59:10] -  BHO 7: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[07/26/2007, 12:59:10] -  BHO 8: {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} (Toolbar Helper)
[07/26/2007, 12:59:10] -  BHO 9: {D80C4E21-C346-4E21-8E64-20746AA20AEB} ()
[07/26/2007, 12:59:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/26/2007, 12:59:10] -  No filename found. Continuing.
[07/26/2007, 12:59:10] - Finished Searching Browser Helper Objects
[07/26/2007, 12:59:10] - Finishing up...
[07/26/2007, 12:59:10] - Nothing found! Exiting...

[unlovedwarrior]

you alive??