Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser pop-ups & slowness - Infected withmalware/viruse

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser pop-ups & slowness - Infected withmalware/viruse

Unread postby vik » June 25th, 2007, 12:19 pm

Hello,

I am new to this forum and this is my first posting. Glad to know that these kind of helpful discussion forums exist.
My computer runs on windows XP service pack 2 and within the last month, has been hit with a sleuth of pop-up advertisements like winantivirus pro, zenosearch etc...This causes the internet explorer browser to perform very slowly and sometimes crash....
I have run spybot and adaware (latest versions) which seem to remove most of the detected infections but not all (per their logs, some infections that go by the name of - Virtumonde, SmitFraud, Zenosearch always remain as un-removable)......tried a couple of other anti-virus programs but to no avail.

Please find below the HijackThis logfile for your perusal. Would appreciate any help on this problem.....Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:17:28 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\fttsracc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\WINDOWS\qlabzauA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Software\adaware\hjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.srf?x ... angid=1033
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [j2281731] rundll32 C:\WINDOWS\system32\j2281731.dll sook
O4 - HKLM\..\Run: [qlabzauA] C:\WINDOWS\qlabzauA.exe
O4 - HKLM\..\Run: [{58-87-77-79-ZN}] C:\windows\system32\npdsrego.exe SKY003
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\xkdhjysn.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE487754-BB4A-402A-8290-4CF3EAAEF816}: Domain = gsiccorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE487754-BB4A-402A-8290-4CF3EAAEF816}: NameServer = 172.25.5.10,172.25.5.15
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\fttsracc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm
Advertisement
Register to Remove

Unread postby Shaba » June 25th, 2007, 1:50 pm

Hi vik

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby vik » June 25th, 2007, 5:38 pm

Thanks for the quick response...Please find below the HijackThis logfile after renaming Hijackthis.exe to Scanner.exe and executing....


-----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:34:34 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\fttsracc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\WINDOWS\qlabzauA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\ACDSee32\ACDSee32.exe
C:\Software\adaware\hjackthis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.srf?x ... angid=1033
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {01F17FA6-5C97-4BD1-831D-25BF884B4BC3} - \
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {04DB16E3-4C32-491A-8485-3AFE84292195} - \
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\ssqqppn.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {38B200C2-28DF-4126-BAD4-B467FC49ACA0} - C:\WINDOWS\system32\awvvw.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\ajasenpr.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\urnscpbn.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6F512F07-8936-40C0-B5F9-7CBFAB0DE000} - C:\WINDOWS\system32\hcqpcdxh.dll
O2 - BHO: (no name) - {8c12cdb9-8916-430b-8e4a-94cbc27c7ea9} - C:\WINDOWS\system32\bylewxm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [j2281731] rundll32 C:\WINDOWS\system32\j2281731.dll sook
O4 - HKLM\..\Run: [qlabzauA] C:\WINDOWS\qlabzauA.exe
O4 - HKLM\..\Run: [{58-87-77-79-ZN}] C:\windows\system32\npdsrego.exe SKY003
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\yaelebtx.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: accmain - c:\windows\cursors\accmain.dll (file missing)
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O20 - Winlogon Notify: ssqqppn - C:\WINDOWS\SYSTEM32\ssqqppn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\fttsracc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-----------------------------
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm

Unread postby Shaba » June 26th, 2007, 4:32 am

Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby vik » June 26th, 2007, 7:35 pm

Hi,

As suggested, I just finished executing the VundoFix and ComboFix programs and they seemed to have removed a whole bunch of infections..Also, i opened Internet explorer and browsed around a little and have not got any problems so far, which is absolutely great....Can't believe it!!!....I will browse around a little more using internet explorer and let you know how it goes....Please find below the VundoFix, ComboFix and HijackThis logs for your perusal...

===========START VundoFix Log=====================

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 6:42:47 PM 6/26/2007

Listing files found while scanning....

C:\windows\system32\ajasenpr.dll
C:\windows\system32\akwpmdun.ini
C:\windows\system32\alwmnbno.ini
C:\WINDOWS\system32\awvvw.dll
C:\windows\system32\ccguebbi.dll
C:\windows\system32\ccmqbgok.dll
C:\windows\system32\ccosgbkm.ini
C:\windows\system32\cemyebih.dll
C:\windows\system32\cfrowbwi.dll
C:\windows\system32\djpblfwq.dll
C:\windows\system32\djquiklt.dll
C:\windows\system32\dtdcrogu.ini
C:\windows\system32\dxhcjsns.dll
C:\windows\system32\einoighu.ini
C:\windows\system32\elkvwjoq.ini
C:\windows\system32\elnsuvwx.dll
C:\windows\system32\elvwavdh.ini
C:\windows\system32\enafkgnm.ini
C:\windows\system32\ewslepil.dll
C:\windows\system32\fldakffh.ini
C:\windows\system32\gsjeniel.dll
C:\windows\system32\gtdmilwv.dll
C:\windows\system32\hcqpcdxh.dll
C:\windows\system32\hdvawvle.dll
C:\windows\system32\hffkadlf.dll
C:\windows\system32\hibeymec.ini
C:\windows\system32\hqdjafrm.dll
C:\windows\system32\htdioisq.dll
C:\windows\system32\ibbeugcc.ini
C:\WINDOWS\system32\iehqaffd.dll
C:\windows\system32\iwbworfc.ini
C:\windows\system32\iyxwtwkl.ini
C:\windows\system32\jcfackly.ini
C:\WINDOWS\system32\jkthjbkn.dll
C:\windows\system32\kbwqtooy.dll
C:\windows\system32\klrrwsxn.dll
C:\windows\system32\kogbqmcc.ini
C:\windows\system32\kvckmeds.dll
C:\windows\system32\lcfljrru.ini
C:\windows\system32\lipelswe.ini
C:\windows\system32\lkwtwxyi.dll
C:\WINDOWS\system32\lqknnvyw.dll
C:\windows\system32\mcfnrybu.dll
C:\windows\system32\mewmeurp.dll
C:\windows\system32\mkbgsocc.dll
C:\windows\system32\mngkfane.dll
C:\windows\system32\mrfajdqh.ini
C:\windows\system32\nudmpwka.dll
C:\windows\system32\onbnmwla.dll
C:\windows\system32\oqxmgemq.dll
C:\windows\system32\pruemwem.ini
C:\windows\system32\pwnubqir.ini
C:\WINDOWS\system32\qjsxxxir.dll
C:\windows\system32\qojwvkle.dll
C:\windows\system32\qsioidth.ini
C:\windows\system32\qwflbpjd.ini
C:\windows\system32\rbbjbfer.dll
C:\windows\system32\refbjbbr.ini
C:\windows\system32\rhrlenkv.ini
C:\windows\system32\riqbunwp.dll
C:\windows\system32\rixxxsjq.ini
C:\windows\system32\sdemkcvk.ini
C:\windows\system32\seeofjgt.ini
C:\windows\system32\snsjchxd.ini
C:\WINDOWS\system32\ssqqppn.dll
C:\windows\system32\sydjooeg.dll
C:\windows\system32\tcveyiay.ini
C:\windows\system32\teqaqlxy.ini
C:\windows\system32\tgjfoees.dll
C:\windows\system32\tlkiuqjd.ini
C:\windows\system32\ubmbvjek.exe
C:\windows\system32\ubyrnfcm.ini
C:\windows\system32\ugjxfurx.dll
C:\windows\system32\ugorcdtd.dll
C:\windows\system32\uhgionie.dll
C:\WINDOWS\system32\urnscpbn.dll
C:\windows\system32\urrjlfcl.dll
C:\windows\system32\vdxyshdy.dll
C:\windows\system32\vfedgyof.dll
C:\windows\system32\vknelrhr.dll
C:\windows\system32\vwlimdtg.ini
C:\windows\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.tmp
C:\windows\system32\xaavwhdb.dll
C:\windows\system32\xrufxjgu.ini
C:\windows\system32\xtbeleay.ini
C:\windows\system32\xwvusnle.ini
C:\windows\system32\yaelebtx.dll
C:\windows\system32\yaiyevct.dll
C:\windows\system32\yhjolaqy.ini
C:\windows\system32\ylkcafcj.dll
C:\windows\system32\yqalojhy.dll
C:\windows\system32\yxlqaqet.dll

Beginning removal...

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 6:47:11 PM 6/26/2007

Listing files found while scanning....

C:\windows\system32\ajasenpr.dll
C:\windows\system32\akwpmdun.ini
C:\windows\system32\alwmnbno.ini
C:\WINDOWS\system32\awvvw.dll
C:\windows\system32\ccguebbi.dll
C:\windows\system32\ccmqbgok.dll
C:\windows\system32\ccosgbkm.ini
C:\windows\system32\cemyebih.dll
C:\windows\system32\cfrowbwi.dll
C:\windows\system32\djpblfwq.dll
C:\windows\system32\djquiklt.dll
C:\windows\system32\dtdcrogu.ini
C:\windows\system32\dxhcjsns.dll
C:\windows\system32\einoighu.ini
C:\windows\system32\elkvwjoq.ini
C:\windows\system32\elnsuvwx.dll
C:\windows\system32\elvwavdh.ini
C:\windows\system32\enafkgnm.ini
C:\windows\system32\ewslepil.dll
C:\windows\system32\fldakffh.ini
C:\windows\system32\gsjeniel.dll
C:\windows\system32\gtdmilwv.dll
C:\windows\system32\hcqpcdxh.dll
C:\windows\system32\hdvawvle.dll
C:\windows\system32\hffkadlf.dll
C:\windows\system32\hibeymec.ini
C:\windows\system32\hqdjafrm.dll
C:\windows\system32\htdioisq.dll
C:\windows\system32\ibbeugcc.ini
C:\WINDOWS\system32\iehqaffd.dll
C:\windows\system32\iwbworfc.ini
C:\windows\system32\iyxwtwkl.ini
C:\windows\system32\jcfackly.ini
C:\WINDOWS\system32\jkthjbkn.dll
C:\windows\system32\kbwqtooy.dll
C:\windows\system32\klrrwsxn.dll
C:\windows\system32\kogbqmcc.ini
C:\windows\system32\kvckmeds.dll
C:\windows\system32\lcfljrru.ini
C:\windows\system32\lipelswe.ini
C:\windows\system32\lkwtwxyi.dll
C:\WINDOWS\system32\lqknnvyw.dll
C:\windows\system32\mcfnrybu.dll
C:\windows\system32\mewmeurp.dll
C:\windows\system32\mkbgsocc.dll
C:\windows\system32\mngkfane.dll
C:\windows\system32\mrfajdqh.ini
C:\windows\system32\nudmpwka.dll
C:\windows\system32\onbnmwla.dll
C:\windows\system32\oqxmgemq.dll
C:\windows\system32\pruemwem.ini
C:\windows\system32\pwnubqir.ini
C:\WINDOWS\system32\qjsxxxir.dll
C:\windows\system32\qojwvkle.dll
C:\windows\system32\qsioidth.ini
C:\windows\system32\qwflbpjd.ini
C:\windows\system32\rbbjbfer.dll
C:\windows\system32\refbjbbr.ini
C:\windows\system32\rhrlenkv.ini
C:\windows\system32\riqbunwp.dll
C:\windows\system32\rixxxsjq.ini
C:\windows\system32\sdemkcvk.ini
C:\windows\system32\seeofjgt.ini
C:\windows\system32\snsjchxd.ini
C:\WINDOWS\system32\ssqqppn.dll
C:\windows\system32\sydjooeg.dll
C:\windows\system32\tcveyiay.ini
C:\windows\system32\teqaqlxy.ini
C:\windows\system32\tgjfoees.dll
C:\windows\system32\tlkiuqjd.ini
C:\windows\system32\ubmbvjek.exe
C:\windows\system32\ubyrnfcm.ini
C:\windows\system32\ugjxfurx.dll
C:\windows\system32\ugorcdtd.dll
C:\windows\system32\uhgionie.dll
C:\WINDOWS\system32\urnscpbn.dll
C:\windows\system32\urrjlfcl.dll
C:\windows\system32\vdxyshdy.dll
C:\windows\system32\vfedgyof.dll
C:\windows\system32\vknelrhr.dll
C:\windows\system32\vwlimdtg.ini
C:\windows\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.tmp
C:\windows\system32\xaavwhdb.dll
C:\windows\system32\xrufxjgu.ini
C:\windows\system32\xtbeleay.ini
C:\windows\system32\xwvusnle.ini
C:\windows\system32\yaelebtx.dll
C:\windows\system32\yaiyevct.dll
C:\windows\system32\yhjolaqy.ini
C:\windows\system32\ylkcafcj.dll
C:\windows\system32\yqalojhy.dll
C:\windows\system32\yxlqaqet.dll

Beginning removal...

Attempting to delete C:\windows\system32\ajasenpr.dll
C:\windows\system32\ajasenpr.dll Has been deleted!

Attempting to delete C:\windows\system32\akwpmdun.ini
C:\windows\system32\akwpmdun.ini Has been deleted!

Attempting to delete C:\windows\system32\alwmnbno.ini
C:\windows\system32\alwmnbno.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\windows\system32\ccguebbi.dll
C:\windows\system32\ccguebbi.dll Has been deleted!

Attempting to delete C:\windows\system32\ccmqbgok.dll
C:\windows\system32\ccmqbgok.dll Has been deleted!

Attempting to delete C:\windows\system32\ccosgbkm.ini
C:\windows\system32\ccosgbkm.ini Has been deleted!

Attempting to delete C:\windows\system32\cemyebih.dll
C:\windows\system32\cemyebih.dll Has been deleted!

Attempting to delete C:\windows\system32\cfrowbwi.dll
C:\windows\system32\cfrowbwi.dll Has been deleted!

Attempting to delete C:\windows\system32\djpblfwq.dll
C:\windows\system32\djpblfwq.dll Has been deleted!

Attempting to delete C:\windows\system32\djquiklt.dll
C:\windows\system32\djquiklt.dll Has been deleted!

Attempting to delete C:\windows\system32\dtdcrogu.ini
C:\windows\system32\dtdcrogu.ini Has been deleted!

Attempting to delete C:\windows\system32\dxhcjsns.dll
C:\windows\system32\dxhcjsns.dll Has been deleted!

Attempting to delete C:\windows\system32\einoighu.ini
C:\windows\system32\einoighu.ini Has been deleted!

Attempting to delete C:\windows\system32\elkvwjoq.ini
C:\windows\system32\elkvwjoq.ini Has been deleted!

Attempting to delete C:\windows\system32\elnsuvwx.dll
C:\windows\system32\elnsuvwx.dll Has been deleted!

Attempting to delete C:\windows\system32\elvwavdh.ini
C:\windows\system32\elvwavdh.ini Has been deleted!

Attempting to delete C:\windows\system32\enafkgnm.ini
C:\windows\system32\enafkgnm.ini Has been deleted!

Attempting to delete C:\windows\system32\ewslepil.dll
C:\windows\system32\ewslepil.dll Has been deleted!

Attempting to delete C:\windows\system32\fldakffh.ini
C:\windows\system32\fldakffh.ini Has been deleted!

Attempting to delete C:\windows\system32\gsjeniel.dll
C:\windows\system32\gsjeniel.dll Has been deleted!

Attempting to delete C:\windows\system32\gtdmilwv.dll
C:\windows\system32\gtdmilwv.dll Has been deleted!

Attempting to delete C:\windows\system32\hcqpcdxh.dll
C:\windows\system32\hcqpcdxh.dll Has been deleted!

Attempting to delete C:\windows\system32\hdvawvle.dll
C:\windows\system32\hdvawvle.dll Has been deleted!

Attempting to delete C:\windows\system32\hffkadlf.dll
C:\windows\system32\hffkadlf.dll Has been deleted!

Attempting to delete C:\windows\system32\hibeymec.ini
C:\windows\system32\hibeymec.ini Has been deleted!

Attempting to delete C:\windows\system32\hqdjafrm.dll
C:\windows\system32\hqdjafrm.dll Has been deleted!

Attempting to delete C:\windows\system32\htdioisq.dll
C:\windows\system32\htdioisq.dll Has been deleted!

Attempting to delete C:\windows\system32\ibbeugcc.ini
C:\windows\system32\ibbeugcc.ini Has been deleted!

Attempting to delete C:\windows\system32\iwbworfc.ini
C:\windows\system32\iwbworfc.ini Has been deleted!

Attempting to delete C:\windows\system32\iyxwtwkl.ini
C:\windows\system32\iyxwtwkl.ini Has been deleted!

Attempting to delete C:\windows\system32\jcfackly.ini
C:\windows\system32\jcfackly.ini Has been deleted!

Attempting to delete C:\windows\system32\kbwqtooy.dll
C:\windows\system32\kbwqtooy.dll Has been deleted!

Attempting to delete C:\windows\system32\klrrwsxn.dll
C:\windows\system32\klrrwsxn.dll Has been deleted!

Attempting to delete C:\windows\system32\kogbqmcc.ini
C:\windows\system32\kogbqmcc.ini Has been deleted!

Attempting to delete C:\windows\system32\kvckmeds.dll
C:\windows\system32\kvckmeds.dll Has been deleted!

Attempting to delete C:\windows\system32\lcfljrru.ini
C:\windows\system32\lcfljrru.ini Has been deleted!

Attempting to delete C:\windows\system32\lipelswe.ini
C:\windows\system32\lipelswe.ini Has been deleted!

Attempting to delete C:\windows\system32\lkwtwxyi.dll
C:\windows\system32\lkwtwxyi.dll Has been deleted!

Attempting to delete C:\windows\system32\mcfnrybu.dll
C:\windows\system32\mcfnrybu.dll Has been deleted!

Attempting to delete C:\windows\system32\mewmeurp.dll
C:\windows\system32\mewmeurp.dll Has been deleted!

Attempting to delete C:\windows\system32\mkbgsocc.dll
C:\windows\system32\mkbgsocc.dll Has been deleted!

Attempting to delete C:\windows\system32\mngkfane.dll
C:\windows\system32\mngkfane.dll Has been deleted!

Attempting to delete C:\windows\system32\mrfajdqh.ini
C:\windows\system32\mrfajdqh.ini Has been deleted!

Attempting to delete C:\windows\system32\nudmpwka.dll
C:\windows\system32\nudmpwka.dll Has been deleted!

Attempting to delete C:\windows\system32\onbnmwla.dll
C:\windows\system32\onbnmwla.dll Has been deleted!

Attempting to delete C:\windows\system32\oqxmgemq.dll
C:\windows\system32\oqxmgemq.dll Has been deleted!

Attempting to delete C:\windows\system32\pruemwem.ini
C:\windows\system32\pruemwem.ini Has been deleted!

Attempting to delete C:\windows\system32\pwnubqir.ini
C:\windows\system32\pwnubqir.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qjsxxxir.dll
C:\WINDOWS\system32\qjsxxxir.dll Could not be deleted.

Attempting to delete C:\windows\system32\qojwvkle.dll
C:\windows\system32\qojwvkle.dll Has been deleted!

Attempting to delete C:\windows\system32\qsioidth.ini
C:\windows\system32\qsioidth.ini Has been deleted!

Attempting to delete C:\windows\system32\qwflbpjd.ini
C:\windows\system32\qwflbpjd.ini Has been deleted!

Attempting to delete C:\windows\system32\rbbjbfer.dll
C:\windows\system32\rbbjbfer.dll Has been deleted!

Attempting to delete C:\windows\system32\refbjbbr.ini
C:\windows\system32\refbjbbr.ini Has been deleted!

Attempting to delete C:\windows\system32\rhrlenkv.ini
C:\windows\system32\rhrlenkv.ini Has been deleted!

Attempting to delete C:\windows\system32\riqbunwp.dll
C:\windows\system32\riqbunwp.dll Has been deleted!

Attempting to delete C:\windows\system32\rixxxsjq.ini
C:\windows\system32\rixxxsjq.ini Has been deleted!

Attempting to delete C:\windows\system32\sdemkcvk.ini
C:\windows\system32\sdemkcvk.ini Has been deleted!

Attempting to delete C:\windows\system32\seeofjgt.ini
C:\windows\system32\seeofjgt.ini Has been deleted!

Attempting to delete C:\windows\system32\snsjchxd.ini
C:\windows\system32\snsjchxd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqppn.dll
C:\WINDOWS\system32\ssqqppn.dll Could not be deleted.

Attempting to delete C:\windows\system32\sydjooeg.dll
C:\windows\system32\sydjooeg.dll Has been deleted!

Attempting to delete C:\windows\system32\tcveyiay.ini
C:\windows\system32\tcveyiay.ini Has been deleted!

Attempting to delete C:\windows\system32\teqaqlxy.ini
C:\windows\system32\teqaqlxy.ini Has been deleted!

Attempting to delete C:\windows\system32\tgjfoees.dll
C:\windows\system32\tgjfoees.dll Has been deleted!

Attempting to delete C:\windows\system32\tlkiuqjd.ini
C:\windows\system32\tlkiuqjd.ini Has been deleted!

Attempting to delete C:\windows\system32\ubmbvjek.exe
C:\windows\system32\ubmbvjek.exe Has been deleted!

Attempting to delete C:\windows\system32\ubyrnfcm.ini
C:\windows\system32\ubyrnfcm.ini Has been deleted!

Attempting to delete C:\windows\system32\ugjxfurx.dll
C:\windows\system32\ugjxfurx.dll Has been deleted!

Attempting to delete C:\windows\system32\ugorcdtd.dll
C:\windows\system32\ugorcdtd.dll Has been deleted!

Attempting to delete C:\windows\system32\uhgionie.dll
C:\windows\system32\uhgionie.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urnscpbn.dll
C:\WINDOWS\system32\urnscpbn.dll Has been deleted!

Attempting to delete C:\windows\system32\urrjlfcl.dll
C:\windows\system32\urrjlfcl.dll Has been deleted!

Attempting to delete C:\windows\system32\vdxyshdy.dll
C:\windows\system32\vdxyshdy.dll Has been deleted!

Attempting to delete C:\windows\system32\vfedgyof.dll
C:\windows\system32\vfedgyof.dll Has been deleted!

Attempting to delete C:\windows\system32\vknelrhr.dll
C:\windows\system32\vknelrhr.dll Has been deleted!

Attempting to delete C:\windows\system32\vwlimdtg.ini
C:\windows\system32\vwlimdtg.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.bak1
C:\windows\system32\wvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini2
C:\windows\system32\wvvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.tmp
C:\WINDOWS\system32\wvvwa.tmp Has been deleted!

Attempting to delete C:\windows\system32\xaavwhdb.dll
C:\windows\system32\xaavwhdb.dll Has been deleted!

Attempting to delete C:\windows\system32\xrufxjgu.ini
C:\windows\system32\xrufxjgu.ini Has been deleted!

Attempting to delete C:\windows\system32\xtbeleay.ini
C:\windows\system32\xtbeleay.ini Has been deleted!

Attempting to delete C:\windows\system32\xwvusnle.ini
C:\windows\system32\xwvusnle.ini Has been deleted!

Attempting to delete C:\windows\system32\yaelebtx.dll
C:\windows\system32\yaelebtx.dll Has been deleted!

Attempting to delete C:\windows\system32\yaiyevct.dll
C:\windows\system32\yaiyevct.dll Has been deleted!

Attempting to delete C:\windows\system32\yhjolaqy.ini
C:\windows\system32\yhjolaqy.ini Has been deleted!

Attempting to delete C:\windows\system32\ylkcafcj.dll
C:\windows\system32\ylkcafcj.dll Has been deleted!

Attempting to delete C:\windows\system32\yqalojhy.dll
C:\windows\system32\yqalojhy.dll Has been deleted!

Attempting to delete C:\windows\system32\yxlqaqet.dll
C:\windows\system32\yxlqaqet.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 6:52:47 PM 6/26/2007

Listing files found while scanning....

C:\windows\system32\qjsxxxir.dll
C:\windows\system32\ssqqppn.dll

Beginning removal...

Attempting to delete C:\windows\system32\qjsxxxir.dll
C:\windows\system32\qjsxxxir.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqppn.dll
C:\windows\system32\ssqqppn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:00:41 PM 6/26/2007

Listing files found while scanning....

No infected files were found.

===================END VundoFix Log==============



==================START ComboFix Log===============

"Vikram Kapur" - 2007-06-26 19:03:24 - ComboFix 07-06-26.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\VIKRAM~1\Desktop.\internet explorer.lnk
C:\DOCUME~1\VIKRAM~1\MYDOCU~1.\ystem3~1
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\poolsv
C:\Program Files\poolsv\is67389.exe
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\Cursors\ntp2.ini
C:\WINDOWS\poolsv.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\acrtgsgj.exe
C:\WINDOWS\system32\afjxbpnb.exe
C:\WINDOWS\system32\ahlhanuj.exe
C:\WINDOWS\system32\aihwlqyt.exe
C:\WINDOWS\system32\airwexgl.exe
C:\WINDOWS\system32\alnbjlgy.exe
C:\WINDOWS\system32\aloqpeuf.exe
C:\WINDOWS\system32\ayvgoeld.exe
C:\WINDOWS\system32\bhgwmwls.exe
C:\WINDOWS\system32\cosxvski.exe
C:\WINDOWS\system32\cowxktgn.exe
C:\WINDOWS\system32\crwgegkr.exe
C:\WINDOWS\system32\donynkis.exe
C:\WINDOWS\system32\dpfabrgx.exe
C:\WINDOWS\system32\fecptbaa.exe
C:\WINDOWS\system32\fhsemgxv.exe
C:\WINDOWS\system32\fttsracc.exe
C:\WINDOWS\system32\gbwlxnvs.exe
C:\WINDOWS\system32\gdnuyxnn.exe
C:\WINDOWS\system32\gfgoyesq.exe
C:\WINDOWS\system32\gwempeuq.exe
C:\WINDOWS\system32\hbspfecp.exe
C:\WINDOWS\system32\hnqdeyow.exe
C:\WINDOWS\system32\hopfcmqo.exe
C:\WINDOWS\system32\hqlupbrg.exe
C:\WINDOWS\system32\hqwprdkl.exe
C:\WINDOWS\system32\iaxogfso.exe
C:\WINDOWS\system32\ifuagrlr.exe
C:\WINDOWS\system32\ijbfucuq.exe
C:\WINDOWS\system32\ijccovnh.exe
C:\WINDOWS\system32\itrtudbq.exe
C:\WINDOWS\system32\jbjraseb.exe
C:\WINDOWS\system32\jglunqyn.exe
C:\WINDOWS\system32\jnyjatqt.exe
C:\WINDOWS\system32\juxeddjw.exe
C:\WINDOWS\system32\kghgothv.exe
C:\WINDOWS\system32\khmijxim.exe
C:\WINDOWS\system32\kjwolllv.exe
C:\WINDOWS\system32\kpsqtqov.exe
C:\WINDOWS\system32\kqofruol.exe
C:\WINDOWS\system32\ksgkugdw.exe
C:\WINDOWS\system32\lwrqocbk.exe
C:\WINDOWS\system32\lxgnjkro.exe
C:\WINDOWS\system32\mciqootb.exe
C:\WINDOWS\system32\mlmtdqra.exe
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\msqfnvhf.exe
C:\WINDOWS\system32\nalfdhwb.exe
C:\WINDOWS\system32\nbptfekj.exe
C:\WINDOWS\system32\nultvqql.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\ownxmwmr.exe
C:\WINDOWS\system32\pawofwwg.exe
C:\WINDOWS\system32\pgixvqwi.exe
C:\WINDOWS\system32\pjcshgpa.exe
C:\WINDOWS\system32\pkybihab.exe
C:\WINDOWS\system32\qaobvksd.exe
C:\WINDOWS\system32\rqmvspap.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S1\bk53.exe
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S2\mwspasrt83122.exe
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S4\wen2.exe
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\S7\wr620.exe
C:\WINDOWS\system32\sayjirks.exe
C:\WINDOWS\system32\senotxre.exe
C:\WINDOWS\system32\sfqwaqch.exe
C:\WINDOWS\system32\sgvwkfit.exe
C:\WINDOWS\system32\skypdlvl.exe
C:\WINDOWS\system32\stkpraal.exe
C:\WINDOWS\system32\supjaprq.exe
C:\WINDOWS\system32\svjxqfeo.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\tlyrbmmb.exe
C:\WINDOWS\system32\twemlrjm.exe
C:\WINDOWS\system32\uienepoc.exe
C:\WINDOWS\system32\ujhtunjy.exe
C:\WINDOWS\system32\vdhxjtid.exe
C:\WINDOWS\system32\vmokufck.exe
C:\WINDOWS\system32\vyuxndyw.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wrpktyby.exe
C:\WINDOWS\system32\xankngmr.exe
C:\WINDOWS\system32\xcwfnbdi.exe
C:\WINDOWS\system32\yphatlvp.exe
C:\WINDOWS\system32\yqhhrmja.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 19:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-26 18:42 <DIR> d-------- C:\VundoFix Backups
2007-06-25 16:21 <DIR> d-------- C:\Program Files\Flickr Uploadr
2007-06-25 16:21 <DIR> d-------- C:\DOCUME~1\VIKRAM~1\APPLIC~1\Flickr
2007-06-24 22:48 2,041,904 --a------ C:\WINDOWS\system32\drivers\fw.sys
2007-06-24 22:48 106,591 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2007-06-24 22:47 670,128 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2007-06-24 22:47 32,866 --a------ C:\WINDOWS\system32\ckpginashim.dll
2007-06-24 22:47 24,672 --a------ C:\WINDOWS\system32\ckpNotify.dll
2007-06-24 22:47 17,456 --a------ C:\WINDOWS\system32\drivers\scap.sys
2007-06-23 16:29 14,924 --a------ C:\WINDOWS\system32\drivers\OMVA.sys
2007-06-22 19:20 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-06-22 15:45 4,628 --a------ C:\WINDOWS\system32\bjkcxtxx.exe
2007-06-21 08:24 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-06-20 12:05 271,920 -r-hs---- C:\WINDOWS\qlabzauA.exe
2007-06-20 12:05 172,544 --a------ C:\WINDOWS\system32\bylewxm.dll
2007-06-19 12:51 <DIR> d-------- C:\Program Files\IObit
2007-06-19 12:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-19 12:10 <DIR> d-------- C:\My Videos
2007-06-18 23:27 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-18 23:27 <DIR> d-------- C:\Program Files\Winamp
2007-06-18 23:27 <DIR> d-------- C:\Program Files\Panicware
2007-06-17 20:02 1,634,411 ---hs---- C:\WINDOWS\system32\xycdd.bak2
2007-06-17 19:56 164 --a------ C:\install.dat
2007-06-14 07:54 163,840 --a------ C:\Program Files\TTC.dll
2007-06-14 01:30 1,637,557 ---hs---- C:\WINDOWS\system32\xycdd.ini2
2007-06-13 20:19 5,505,024 --a------ C:\DOCUME~1\VIKRAM~1\ntuser.dat
2007-06-12 23:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-28 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-28 09:16 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-28 09:16 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-28 09:16 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-26 23:54 <DIR> d-------- C:\DOCUME~1\VIKRAM~1\APPLIC~1\Lavasoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 02:47:35 -------- d-----w C:\Program Files\CheckPoint
2007-06-25 02:47:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-25 00:50:56 -------- d-----w C:\Program Files\Google
2007-06-23 22:46:15 1,503 ----a-w C:\WINDOWS\ipconfig.dat
2007-06-19 03:27:35 -------- d-----w C:\Program Files\Yahoo!
2007-06-14 17:26:01 1,632,180 --sh--w C:\WINDOWS\system32\xycdd.bak1
2007-05-25 01:22:19 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-02 22:44:24 -------- d--h--r C:\DOCUME~1\VIKRAM~1\APPLIC~1\yahoo!
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel(2)(2).dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 12:31:39 658,944 ----a-w C:\WINDOWS\system32\wininet(2)(2).dll
2007-04-18 12:31:39 615,424 ----a-w C:\WINDOWS\system32\urlmon(2)(2).dll
2007-04-18 12:31:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi(2)(2).dll
2007-04-18 12:31:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw(2)(2).dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 15:52:53 984,576 ----a-w C:\WINDOWS\system32\kernel32(2)(2).dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{01F17FA6-5C97-4BD1-831D-25BF884B4BC3}=\ [2007-06-26 19:06]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{04DB16E3-4C32-491A-8485-3AFE84292195}=\ [2007-06-26 19:06]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 17:17]
{0A7B0010-7E68-4A65-A145-BECA4697ADA3}=C:\WINDOWS\system32\awvvw.dll []
{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}=C:\Program Files\Outerinfo\Outerinfo.dll []
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{6F512F07-8936-40C0-B5F9-7CBFAB0DE000}=C:\WINDOWS\system32\hcqpcdxh.dll []
{8c12cdb9-8916-430b-8e4a-94cbc27c7ea9}=C:\WINDOWS\system32\bylewxm.dll [2007-06-20 12:05]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar5.dll [2007-01-20 00:55]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2003-11-24 19:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 03:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 21:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-05-07 01:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 15:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-07 01:26]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 23:03]
"HP Software Update"="c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 14:40]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-09-14 21:02]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 09:40 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-18 15:39]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [2005-12-16 19:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-07 15:35]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 15:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\accmain]
c:\windows\cursors\accmain.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]
C:\WINDOWS\system32\ddcyx.dll


Contents of the 'Scheduled Tasks' folder
2007-06-23 00:01:33 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Vikram Kapur.job
2007-06-26 23:11:25 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 19:09:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????2?5?9?9??@???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 19:11:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-26 19:11

--- E O F ---
=================END ComboFix Log=================


=================START HijackThis Log================

Logfile of HijackThis v1.99.1
Scan saved at 7:15:02 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Software\adaware\hjackthis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.srf?x ... angid=1033
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {01F17FA6-5C97-4BD1-831D-25BF884B4BC3} - \
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {04DB16E3-4C32-491A-8485-3AFE84292195} - \
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7B0010-7E68-4A65-A145-BECA4697ADA3} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6F512F07-8936-40C0-B5F9-7CBFAB0DE000} - C:\WINDOWS\system32\hcqpcdxh.dll (file missing)
O2 - BHO: (no name) - {8c12cdb9-8916-430b-8e4a-94cbc27c7ea9} - C:\WINDOWS\system32\bylewxm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: accmain - c:\windows\cursors\accmain.dll (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

===============END HijackThis Log===================
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm

Unread postby vik » June 26th, 2007, 7:37 pm

Maybe i spoke too soon...just got pop-ups asking to install some "system Doctor" programs to clean the registry ....keep you posted....
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm

Unread postby vik » June 26th, 2007, 7:40 pm

Got another pop-up asking if i would like to install "drive cleaner" from http://www.drivecleaner.com for free.....
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm

Unread postby Shaba » June 27th, 2007, 4:59 am

Hi

Looking better but not clean yet, yes.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {04DB16E3-4C32-491A-8485-3AFE84292195} - \
O2 - BHO: (no name) - {0A7B0010-7E68-4A65-A145-BECA4697ADA3} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {6F512F07-8936-40C0-B5F9-7CBFAB0DE000} - C:\WINDOWS\system32\hcqpcdxh.dll (file missing)
O2 - BHO: (no name) - {8c12cdb9-8916-430b-8e4a-94cbc27c7ea9} - C:\WINDOWS\system32\bylewxm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: accmain - c:\windows\cursors\accmain.dll (file missing)
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)


Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\bjkcxtxx.exe
C:\WINDOWS\qlabzauA.exe
C:\WINDOWS\system32\bylewxm.dll
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\pxafs.dll
C:\WINDOWS\system32\xycdd.bak1


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby vik » June 27th, 2007, 6:41 pm

Hi,

Yes, the machine is performing much much better than before but there were a few pop-ups. The major problems are all gone....seems like just a few minor hiccups.... Thanks for your help on this. I also ran the hijackthis app as suggested and here is the new hijackthis log. I tried running combofix as suggested but it did not seem to do anything for a long time so i aborted it.....Thanks again for your help, appreciate it....


==========
Logfile of HijackThis v1.99.1
Scan saved at 18:30, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Software\adaware\hjackthis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.srf?x ... angid=1033
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {01F17FA6-5C97-4BD1-831D-25BF884B4BC3} - \
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE487754-BB4A-402A-8290-4CF3EAAEF816}: Domain = gsiccorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE487754-BB4A-402A-8290-4CF3EAAEF816}: NameServer = 172.25.5.10,172.25.5.15
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

======================
vik
Active Member
 
Posts: 6
Joined: June 21st, 2007, 3:32 pm

Unread postby Shaba » June 28th, 2007, 4:38 am

Hi

Ok, then we do this:

Please download the Killbox.
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\bjkcxtxx.exe
C:\WINDOWS\qlabzauA.exe
C:\WINDOWS\system32\bylewxm.dll
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\pxafs.dll
C:\WINDOWS\system32\xycdd.bak1


Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Shaba » July 4th, 2007, 5:25 am

Hi

How's it going vik?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Shaba » July 7th, 2007, 5:24 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware