Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked IE and other problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijacked IE and other problems

Unread postby gps57 » January 7th, 2007, 1:28 am

My children's computer is now past my ability to fix without help from the experts here at MR. I have routinly run SpyBot and Adaware to keep it clean. However, now IE has been hijack. No matter where I try to go when using their computer, I am always taken to search.myway.com.

I have Windows XP Home edition with SP2 and all updates except IE 7.0.

Another problem that has shown up over the last two days is that we can not connect to the internet. The network is fine. I'm using it now on my laptop. I can ping from my children's computer fine. It just won't access the internet.

Can you advise me on the steps I need to help you help me. I take it I should download HiJackThis, run a system scan then post it here, correct.

I won't do anything though until I here from someone from MR.

Thanks.
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina
Advertisement
Register to Remove

Unread postby wng_z3r0 » January 7th, 2007, 5:32 am

Yes, please post a HJT logfile.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 7th, 2007, 12:28 pm

Thanks. Here is the HijackThis scan log:
- - -
Logfile of HijackThis v1.99.1
Scan saved at 11:06:03 AM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Batty2\Batty2.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Common Files\{10ABAD4E-05BC-1033-0823-020430020001}\Update.exe
C:\WINDOWS\winsock32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Glen Stewart\My Programs\quickenw\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F508AB1-6BBA-C983-6D11-032A0C7AF158} - C:\WINDOWS\system32\nkejwol.dll
O2 - BHO: (no name) - {746455FE-D059-47e7-AF0E-140E03F5A447} - (no file)
O2 - BHO: (no name) - {A732EF81-0A13-75C9-17D0-71F2CF5311BB} - C:\WINDOWS\system32\rkqucoe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30ABA~1\Bar888.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30ABA~1\Bar888.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [qykcscn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qykcscn.dll,ztrtgce
O4 - HKLM\..\Run: [ms05647827968] C:\WINDOWS\ms05647827968.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [{10ABAD4E-05BC-1033-0823-020430020001}] "C:\Program Files\Common Files\{10ABAD4E-05BC-1033-0823-020430020001}\Update.exe" mc-110-12-0000501
O4 - HKLM\..\Run: [winsock32] winsock32
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Documents and Settings\Glen Stewart\My Programs\quickenw\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZJ
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TvUSB\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/20 ... nstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {2A510DC8-C9B5-4269-B9BA-E5B04D47D981} (CPlayFirstDDSonicControl Object) - http://www.shockwave.com/content/dinerd ... 0.0.92.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdriv ... rstart.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.basf-corp.com/iNotes6W.cab
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks.com/DLMOffers/Search01/eztdl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/download ... anager.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejewe ... der_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2702.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll,BattyRun2.dll,kfghipjp.dll
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 7th, 2007, 3:17 pm

Hi, you have some serious problems with your computer. I need some more information to verify your infections, but in the mean time:

Anything that you do on that computer is probably being broadcasted to the world. Don't type any passwords etc. In fact, if possible, try not to use that computer until it is clean.

Very important: One of these infections (the Rbot) tries to infect other networked machines. Keep this laptop off all networks. Until verified, treat all your computers on the network as infected.

Please go here

and at the very top you will see "file to upload and scan"
Next to that you will see a box and a browse button.
Paste this location into the box:
C:\WINDOWS\system32\jkkll.dll
and then click the "submit" button
Wait a little bit and the results will appear.
Paste the results of the file here.

After you have pasted the result of that file, I need you to repeat the process for two more:
C:\WINDOWS\winsock32.exe
C:\WINDOWS\system32\rkqucoe.dll

This will help verifiy the infection variants that you have.
Thanks,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 7th, 2007, 4:01 pm

I was afraid of that. I will isolate that computer immediately.

Just to be clear, the scan came from my children's computer. My laptop is different and it may also be infected. But for now, I would like to focus on my children's computer. After we have it cleaned, I will submit a HijackThis scan for my laptop.

I may have difficulty following your instructions however. You are asking me to go to a website and run a tool. Well one of the problems I am experiencing on my children's computer is I can not get connected to the internet. The pings to the gateway and 127.1.1.1 work, but no web pages will display, no email will work, etc. I had to use my laptop and a thumb drive to get HijackThis onto my children's computer, and to get the scan back to my laptop in order to post it. I am using my laptop to communicate with you, not my children's computer.

I have a linksys router between my cable modem and the computer. Should I try to plug directly into the cable modem to get internet acces to work? I would only connect directly to the cable modem while I'm following your instructions, not permanently.

By the way, I saw your reply just as I am going out for an appointment. I will get started on your instructions as soon as I return (a couple hours).
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 7th, 2007, 4:13 pm

Well, let's try this instead.

Take those three files I mentioned:
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\winsock32.exe
C:\WINDOWS\system32\rkqucoe.dll
and copy them into a folder on your desktop (of the children's computer)
Right click this folder, and then hit send to->compressed(zip folder)

Now you should have a folder and a zipped folder. Delete the regular folder. Double click on the zipped folder to open it
Go to: File->add a password
Set the password as: 12345

Hit finish. Now there is no chance of the virus files infecting your laptop. So, put the zipped folder on your thumb drive, and connect it to your laptop. Email me the zipped folder
My email address is:
submit (at*) spyware-free.us
replace (at*) with @

Post back if you have any questions.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 7th, 2007, 10:26 pm

I have emailed you a zip file named 3files.zip with password protection. However, it only contains 2 files. I could not find jkkll.dll anywhere on my children's computer. I did a search on the whole c: drive, including system folders and hidden files and folders.

The zip file contains these two files:

C:\WINDOWS\winsock32.exe
C:\WINDOWS\system32\rkqucoe.dll

I'll be at work all day tomorrow (Monday) and will not have access to my childrens computer until around 7:30pm. At that time, I'll take any next steps you suggest.

Thanks.
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 7th, 2007, 10:35 pm

I have received the email. Thanks
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 10th, 2007, 6:12 pm

While it is true that I am getting pressure from the wife and kids to get their computer back up and running, I am in no way rushing you, so please don't take this question that way. I'm happy to get your help whenever you have the time to give it! :)

Since it has been a couple of days since I've heard from you, I just want to be sure you are not waiting for something else from me.

Let me know if you need anything else when you can.

Thanks for your help.
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 14th, 2007, 6:52 am

Thank you for your patience,
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



Thanks,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 14th, 2007, 8:31 pm

I have completed your instructions. Already, things seem to have improved.

FYI, when I login to my account on my children's computer I get two error messages. The first one says it had an error loading MWSBAR.DLL. I can get the full path if you need it.

The second error message says Windows Defender failed to initialize.

Anyway, here is the SDFix report and the new HijackThis log:

- - -

SDFix Report:


SDFix: Version 1.58

Sun 01/14/2007 - 18:56:20.96

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

COM+ Messages
winsock32.exe

Path:

"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000501
"C:\WINDOWS\winsock32.exe"

COM+ Messages Deleted
winsock32.exe Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File
Killing PID 136 'smss.exe'
Killing PID 212 'winlogon.exe'

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\WINDOWS\TEMP\STDRUN1.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN10.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN11.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN12.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN13.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN2.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN3.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN4.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN5.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN6.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN7.EXE - Deleted
C:\WINDOWS\TEMP\STDRUN8.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN1.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN2.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN20.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN21.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN22.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN23.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN4.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN5.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN6.EXE - Deleted
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\STDRUN8.EXE - Deleted
C:\PROGRA~1\SONYER~1\MOBILE2\MOBILE~1\SETDBG~1.EXE - Deleted
C:\PROGRA~1\HP\HPSOFT~1\SELFUP~1.EXE - Deleted
C:\sstray.exe - Deleted
C:\svhost.exe - Deleted
C:\tskmgr.exe - Deleted
C:\WINDOWS\lcass.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\winSock32.exe - Deleted



Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\WINDOWS\\specialoffers4.exe"="C:\\WINDOWS\\specialoffers4.exe:*:Disabled:Special Offers Networks"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Nickelodeon\\SpongeBob Squarepants 3D Obstacle Odyssey\\sboo.exe"="C:\\Program Files\\Nickelodeon\\SpongeBob Squarepants 3D Obstacle Odyssey\\sboo.exe:*:Disabled:sboo"
"C:\\Documents and Settings\\Glen Stewart\\My Programs\\quickenw\\QW.EXE"="C:\\Documents and Settings\\Glen Stewart\\My Programs\\quickenw\\QW.EXE:*:Enabled:Quicken Home & Business 99"
"C:\\Program Files\\funkitron\\SCRABBLE\\Scrabble.exe"="C:\\Program Files\\funkitron\\SCRABBLE\\Scrabble.exe:*:Enabled:SCRABBLE ®"
"C:\\Program Files\\Tower Blaster\\TowerBlaster.exe"="C:\\Program Files\\Tower Blaster\\TowerBlaster.exe:*:Enabled:Tower Blaster "
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Rhapsody\\rhapsody.exe"="C:\\Program Files\\Rhapsody\\rhapsody.exe:*:Disabled:RealNetworks Rhapsody"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\WINDOWS\\system32"="C:\\WINDOWS\\system32:*:Enabled:lockx"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Disabled:TrueVector Service"
"C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\WINDOWS\\winsock32.exe"="C:\\WINDOWS\\winsock32.exe:*:Disabled:winsock32"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1143472629\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\My Backups\Frodo\Favorites\Channels\Business\The Quicken.com Channel\desktop.ini
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\system32\gtool.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\RECYCLER\S-1-5-21-73586283-1957994488-839522115-1004\Dc215\winsock32.exe
C:\WINDOWS\T?sks\arpa.exe
C:\WINDOWS\??crosoft\wuauboot.exe
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Samwise Backups\My Documents\Business\Ebe\SR Phase 2\Loan Proposal\020314\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Samwise Backups\My Documents\Business\Ebe\SR Phase 2\Loan Proposal\020314_a\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Samwise Backups\My Documents\Business\Ebe\SR Phase 2\Loan Proposal\020314_b\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Samwise Backups\My Documents\Business\Ebe\SR Phase 2\Loan Proposal\020314_c\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\EBE\Records Management\Business Plan\~WRL1391.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\EBE\SR Phase 2\Loan Proposal\020314_A\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\EBE\SR Phase 2\Loan Proposal\020314_b\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\EBE\SR Phase 2\Loan Proposal\020314_c\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\EBE\SR Phase 2\Loan Proposal\020314_d\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\Vital Archives\Business Plan\~WRL1391.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 Backup\Vital Archives\Marketing\Direct Mail Piece\~WRL1432.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\Business\P150 D Backup\Warehouse_SW\~WRL3977.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\My Backups\Frodo\My Documents\Business\EBE\SR Phase 2\Loan Proposal\020314\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\My Backups\Frodo\My Documents\Business\EBE\SR Phase 2\Loan Proposal\020314_a\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\My Backups\Frodo\My Documents\Business\EBE\SR Phase 2\Loan Proposal\020314_b\~WRL0601.tmp
C:\Documents and Settings\Glen Stewart\My Documents\My Backups\Strider Backups\My Documents\My Backups\Frodo\My Documents\Business\EBE\SR Phase 2\Loan Proposal\020314_c\~WRL0601.tmp
C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\Temp\4hg5bgum.TMP

Finished

- - -

New HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:45 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Common Files\{10ABAD4E-05BC-1033-0823-020430020001}\Update.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Batty2\Batty2.exe
C:\Documents and Settings\Glen Stewart\My Programs\quickenw\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Glen Stewart\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F508AB1-6BBA-C983-6D11-032A0C7AF158} - C:\WINDOWS\system32\nkejwol.dll
O2 - BHO: (no name) - {746455FE-D059-47e7-AF0E-140E03F5A447} - (no file)
O2 - BHO: (no name) - {A732EF81-0A13-75C9-17D0-71F2CF5311BB} - C:\WINDOWS\system32\rkqucoe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30ABA~1\Bar888.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30ABA~1\Bar888.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [qykcscn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qykcscn.dll,ztrtgce
O4 - HKLM\..\Run: [ms05647827968] C:\WINDOWS\ms05647827968.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [{10ABAD4E-05BC-1033-0823-020430020001}] "C:\Program Files\Common Files\{10ABAD4E-05BC-1033-0823-020430020001}\Update.exe" mc-110-12-0000501
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Documents and Settings\Glen Stewart\My Programs\quickenw\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZJ
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TvUSB\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/20 ... nstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {2A510DC8-C9B5-4269-B9BA-E5B04D47D981} (CPlayFirstDDSonicControl Object) - http://www.shockwave.com/content/dinerd ... 0.0.92.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdriv ... rstart.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.basf-corp.com/iNotes6W.cab
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks.com/DLMOffers/Search01/eztdl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/download ... anager.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejewe ... der_v6.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2702.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll,BattyRun2.dll,kfghipjp.dll
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 15th, 2007, 9:06 pm

Well, I looked at your SDfix log, and you have a problem.

This line:
"C:\\WINDOWS\\system32"="C:\\WINDOWS\\system32:*:Enabled:lockx"
indicates a very sneaky keylogger has been installed on your computer. So, among other infections, you have one that provides a backdoor to execute remote files, a keylogger, and an infection that infects networked machines.

I hope I am relaying the severity of the infections. At this point in time, I cannot guarantee to fully remove every remenant of the infections that may lower your system security etc.

Please do the following things:
1. Make sure that any passwords used on that machine have been changed (from a clean computer)
2. If any banking details were entered, put a watch on the credit cards.
3. If you have suffered from identity theft, call your bank and then the police.

Then, please consider how valuable the data and configuration of the laptop is. A reformat may be a more time-effective solution, and it would be safer.

If you would rather reformat, I can give you some helpful tips along the way.
If you choose NOT to reformat, please run this scan. It will let me see the extent of the damage.

Please do an online scan with Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard) << very important to use extended if possible
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 16th, 2007, 10:25 am

Well, I hope this will serve as a lesson for my whole family to keep the firewall turned on and maintain best practices in our use of this computer.

I agree that a reformat would likely be the best solution at this time. However, there is some data on that computer that I do not want to lose. Mostly digital photos.

Can you advise me on the best way to get the data I want safely off that computer without infecting another computer? I have thumb drives, and a 60GB USB Western Digital Passport HD that I could use to pull data off. If I use the WD Passport, I could isolate it from other machines.

Speaking of other machines, how worried should I be that my laptop is infected? As a reminder, the machine you and I are working on is my children's desktop. But I have had my laptop on the home network occationally, then taken it to work on the work network.

I have a small company with only two computers (3 when my laptop is there) on the network. I'm worried that the keylogger may have infected my work computers via my laptop.

Anyway, could you advise me on how I might check my laptop and the two computers at work for this keylogger? Then advise me on a safe procedure for saving the data I want and refomatting my children's computer.

By the way, I am working with another MR expert on my laptop right now under the forum topic, "Laptop acting wierd - HJT log included."

Thank you very much for your help!!
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina

Unread postby wng_z3r0 » January 16th, 2007, 10:03 pm

Speaking of best practices, tell the kids to lay off limewire. It's a peer to peer program, and although the client is clean of infections, the downloaded files are commonly infected. I'm sure I don't need to get on my soapbox to you, but I would appreciate it if you would remind your children. If need be, have them use a limited account so any infections will be (hopefully) limited in scope.

The external hard drive should be fine. I would scan the drive for viruses afterwards though. If you want to be even more cautious, download the files when the infected computer is in safe mode, or possibly use a BartPE cd to boot from a cd. See http://ubcd4win.com

I will research how to best detect the lockX keylogger, and I will get back to you shortly.

In the mean time,
here is my tutorial on reformatting:
http://spyware-free.us/tutorials/reformat

If you need any help, just post back here. Once again, please consider a limited account for internet surfing as part of the steps.

If you would like, I can show you how to make your network more secure. The downside of this would be that a password would be needed to connect to other machines. Are you interested?

thanks,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby gps57 » January 17th, 2007, 9:39 am

Good, no more limewire.

When you suggest a limited account, would a virtual machine using VMWare or Virtual PC meet that goal?

How's this for a plan for getting the data I want off the infected computer:
- Start up in SAFE mode.
- Connect external drive
- Copy data to external drive
- Disconnect external drive from infected computer
- Connect external drive to clean computer
- Run virus scan on external drive
- When virus scan completes, transfer files to clean computer

Yes, I'm very intersted in making my network more secure. Having to enter a password is a minor problem.

Thanks!
gps57
Regular Member
 
Posts: 30
Joined: January 7th, 2007, 1:10 am
Location: North Carolina
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware