Free Malware Removal Forum

[citra]

had some problems earlier today that said something about wininet.dll
did a virus scan + spyware scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:41 AM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11830A3F-BAA4-9A29-F368-E72B259889EA} - C:\WINDOWS\system32\uqi.dll (file missing)
O2 - BHO: (no name) - {29912EA2-C562-B8BA-6571-933C672AB7B2} - (no file)
O2 - BHO: (no name) - {32277424-9AE1-E23E-E4D4-C959D182FDBB} - C:\WINDOWS\system32\tcgj.dll (file missing)
O2 - BHO: (no name) - {51876C46-D4AD-DE26-D14E-D81822AE9FE8} - C:\WINDOWS\system32\bcahje.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {655D1C5E-FCC1-844B-90DD-F98AAFA1FEEB} - C:\WINDOWS\system32\actdja.dll (file missing)
O2 - BHO: (no name) - {660E4F0C-AA93-D64D-90DD-F98AAFA1F8EE} - C:\WINDOWS\system32\petdrrlc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: (no name) - {8BBAFDE6-1E24-6BAD-7F24-46C1185219E1} - (no file)
O2 - BHO: (no name) - {8EBBBD18-51D4-7D52-DB12-05C5487C47B1} - C:\WINDOWS\system32\ftqz.dll (file missing)
O2 - BHO: (no name) - {9493DB82-624E-1FC6-4713-605331F156E6} - (no file)
O2 - BHO: (no name) - {957E57BE-BE2A-C6A3-7D92-BD9E8E320BE6} - C:\WINDOWS\system32\pmiu.dll (file missing)
O2 - BHO: (no name) - {9DFA0630-E9D7-B601-A6F2-E6CB5FCE09B8} - (no file)
O2 - BHO: (no name) - {BBC5AE20-449E-1F41-B019-4F0142E92E93} - C:\WINDOWS\system32\tbgkanti.dll (file missing)
O2 - BHO: (no name) - {BBC5AE25-44EC-6D35-B06D-470134EA2EE6} - C:\WINDOWS\system32\tbgkanti.dll (file missing)
O2 - BHO: (no name) - {C0AC73D9-CE10-B0CB-16C2-CDD9598F5BB4} - C:\WINDOWS\system32\pvysdn.dll (file missing)
O2 - BHO: (no name) - {DF7F431A-A4D4-8653-D59A-AD0FD7974EB1} - C:\WINDOWS\system32\eek.dll (file missing)
O2 - BHO: (no name) - {EA0D5868-BFAB-C522-AD88-E93BF40473B3} - C:\WINDOWS\system32\jadr.dll (file missing)
O2 - BHO: (no name) - {EA0D586F-BFAB-C522-AD88-943BF70373C4} - C:\WINDOWS\system32\jadr.dll (file missing)
O2 - BHO: (no name) - {EA2E4EC6-A15A-8C81-5952-F43A870725E0} - C:\WINDOWS\system32\pifexiv.dll (file missing)
O2 - BHO: (no name) - {FB6881FE-3A1E-3398-69B0-62F3CF456FB1} - C:\WINDOWS\system32\hgf.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MECA] C:\Program Files\Meca\\Meca.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Harker Timetable.lnk = C:\Program Files\Harker Timetable\harkertime.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFi ... nstall.cab
O20 - AppInit_DLLs: msiexec.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9443 bytes

[chryssi2001]

Hello citra ,

I will be assisting you with your malware issues.

• Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
• Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
• Please bookmark or favourite this page. In case you need it as reference or etc.

----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[citra]

when i dragged the window recovery console onto my combofix icon all my windows shut down and the blue window opened up. is this supposed to happen?

[chryssi2001]

What blue window? Do you mean windows welcome screen or did you Double click Combofix to run and it's that blue window you talk about?
See my link:
http://img.bleepingcomputer.com/combofix/en/cf-preparing.jpg

Did you run Combofix?

[citra]

that's the one but i did not click combo fix so it just starts up as soon as i do that- also i will be signing off after tonight for a week so can I send you a PM when I'm back online (next sunday)

[chryssi2001]

Hello citra,

that's the one but i did not click combo fix so it just starts up as soon as i do that- also i will be signing off after tonight for a week so can I send you a PM when I'm back online (next sunday)

From your description i can't say if Combofix run and created a report or not.

Since you are going to be away for a week this thread will be closed.
We tend to close inactive topics after 5 days. Yours will be inactive for a week.
You can start a new one describing your problem.

As Combofix gets updated very often the present Combofix you have will not be suitable to run after 1 week. Any helper who will deal with your post will not know that you have an old copy.
So please uninstall it following the below instructions:
-------------------------------------
UNINSTALL COMBOFIX

• Click START then RUN
• Now type Combofix /u in the runbox and click OK.
• Note the space between the X and the U, it needs to be there.
• 

-------------------------------------
Start a new thread when you are ready.

[Elrond]

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Elrond