Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Lexmark_X79-55 in autostar winantivirus 2006 malware pop ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Lexmark_X79-55 in autostar winantivirus 2006 malware pop ups

Unread postby sgpatel » March 16th, 2007, 5:02 pm

I am having problems with popups. I also notice that there is a autostart program in my Startup folder called Lexmark_X79-55 which has the following path C:\WINDOWS\system32\lsasss.exe. I ran Ewido security suite and it found a Downloader.Agent.bp which i took a Quarantine action against. I am also getting a "Cannot find file urpnmj.dll" when i reboot which is also a program in my autostart tab in Ewido and it has the following path : "rundll32.exe" "C:\WINDOWS\urpnmj.dll", setvm. Following is my hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 1:58:46 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\WINDOWS\system32\lsasss.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
D:\Program Files\Media Players\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\kswuag.dll (file missing)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urpnmj.dll",setvm
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kswuag - kswuag.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm
Advertisement
Register to Remove

Unread postby John B. » March 17th, 2007, 12:48 pm

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Finally, please make a uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:

    Image

    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby John B. » March 17th, 2007, 1:38 pm

Hi,

You've got some infections including a file infector which is probably disabling a lot of programs.

Step 1: Download and Run FindAWF
Please download FindAWF here:
http://noahdfear.geekstogo.com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.

Step 2: Post logs
  • Uninstall log if you haven't posted it yet
  • awf.txt
  • Fresh HijackThis log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

New Hijacklog,uninstall and awf log

Unread postby sgpatel » March 17th, 2007, 8:39 pm

John thanks a lot for responding to my issue. Hope to solve this working together with you. I have posted information that you have requested.
Hijack This logLogfile of HijackThis v1.99.1
Scan saved at 5:27:22 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\WINDOWS\system32\lsasss.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Oracle\Messenger\OracleMessenger.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urpnmj.dll",setvm
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: kswuag - kswuag.dll (file missing)
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

AWF.txt

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

05/21/2003 01:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\ORCLOBI\EBI\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ADOBEA~1.0\DISTILLR\BAK

12/14/2004 03:12 AM 483,328 Acrotray.exe
1 File(s) 483,328 bytes

Directory of D:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of D:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

10/07/2006 05:20 AM 6,266,880 avgas.exe
1 File(s) 6,266,880 bytes

Directory of D:\PERSONAL\MUSIC\TUTORI~1\COMPUT~1\THECM1~1\CMINTH~1.BAK

08/29/2006 01:45 AM 1,637,146 CM in the House.00.lso
1 File(s) 1,637,146 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
483328 Dec 14 2004 "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\bak\Acrotray.exe"
102400 Dec 31 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
6266880 Oct 7 2006 "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
6266880 Oct 7 2006 "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
1637146 Aug 29 2006 "D:\Personal\Music\Tutorials\Computer Music Website\The CM105 Guide to House\CM in the House.bak\CM in the House.00.lso"


end of report

Uninstall manager log
1Click DVD Copy 4.2
Ableton Live v6.0.3
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Autodesk DirectConnect 2.0
AVG Anti-Spyware 7.5
Broadcom Gigabit Integrated Controller
Cisco Systems VPN Client 4.8.00.0440
Cisco VPN Client 4.8
C-Major Audio
Conexant D480 MDC V.92 Modem
CopyToDVD
del.icio.us Buttons for Internet Explorer
DivX Codec
DivX Converter
DVD43 v3.9.0
Flickr Uploadr 2.3
GLOBEtrotter FLEXid Drivers
HijackThis 1.99.1
HyperSnap-DX 5.62.05
InterVideo WinDVD
iPassConnect
iPassConnect
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Lightroom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Maya 8.5
Maya 8.5 Bonus Tools
Maya 8.5 Documentation (en_US)
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Microsoft Office Visio Professional 2003
Microsoft Office Visio Viewer 2003 (English)
Mozilla Firefox (1.0.7)
Native Instruments Traktor DJ Studio v3.1.3
Netscape 7.2
Novation V-Station for Cubase SX3 VSTi v1.41
O2Micro Smartcard Driver
Oracle 9iFS FileSync
Oracle Calendar
Oracle JInitiator 1.3.1.21
Oracle Messenger
Oracle Product Workbench
Oracle Web Conferencing Console
PrimoPDF
PrimoPDF Redistribution Package
PuTTY .57 with WinSCP3
Qarbon Viewlet Builder 4.5.3
QuickTime
RealPlayer
Reason 3.0
RgcAudio z3ta Plus DXi VSTi v1.41
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Sentinel System Driver
Silo 1.42
Symantec AntiVirus Client
Symantec pcAnywhere
TurboTax ItsDeductible 2006
TurboTax Premier Investments 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6a
WexTech AnswerWorks
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 9
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool
------------------------------------------------------------------------------------
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 18th, 2007, 8:29 am

Hi,

Lets get to work :)

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Download and Run DelDomains
Please download DelDomains by WinHelp2002 and save it to your desktop.
  • Right-click on DelDomains.inf, and choose Install.
  • You may not see any noticeable changes or prompts; this is normal.
  • Then, please restart your computer, and post a new HijackThis log.
  • You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.
Step 2: Download and Run ResetProtocolDefaults
Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop.
  • Locate ResetProtocolDefaults.reg which should be on your desktop.
  • Right-click and select: Merge.
  • OK the prompt.
Step 3: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 4: Run Batchfile
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it goawf.bat Please save it on your desktop.

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"

if exist "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" del /q "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
copy /y "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe" "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"

if exist "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" del /q "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
copy /y "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\bak\Acrotray.exe" "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

if exist "D:\Program Files\iTunes\iTunesHelper.exe" del /q "D:\Program Files\iTunes\iTunesHelper.exe"
copy /y "D:\Program Files\iTunes\bak\iTunesHelper.exe" "D:\Program Files\iTunes\iTunesHelper.exe"

if exist "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" del /q "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
copy /y "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe" "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"


Double click goawf.bat. A window will open and messages will appear. After it's done it might not close automatically, if it doesn't please close it manually.

Step 5: Reboot and Post logs
Your computer will automatically switch to Normal Mode.
Please post the following logs:
  • Fresh HijackThis log
  • Fresh FindAWF log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 18th, 2007, 12:03 pm

John,
i just had a question on step 1 where you say you will have to reimmunize with spyblaster, spybot search and destroy etc. I am assuming you want me to download each of these programs separately and install them before i start following your instructions.

thanks,
sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 18th, 2007, 12:43 pm

Hi,

I'm sorry that I didn't make that clear. It's optional so if you would use those programs you would have to do it. You don't use that programs so forget about it ;)

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 18th, 2007, 7:30 pm

John,
i have gone through the steps you highlighted. Here are the fresh logs. Just fyi...i am using firefox while i fix this but there are popups that start automatically and ie browser windows still open by themselves.
Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 4:19:48 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\WINDOWS\system32\lsasss.exe
C:\Program Files\dvd43\dvd43_tray.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urpnmj.dll",setvm
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: kswuag - kswuag.dll (file missing)
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

FindAWF log:

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~1\BAK

05/21/2003 01:21 AM 90,112 vptray.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\ORCLOBI\EBI\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ADOBEA~1.0\DISTILLR\BAK

12/14/2004 03:12 AM 483,328 Acrotray.exe
1 File(s) 483,328 bytes

Directory of D:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of D:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

10/07/2006 05:20 AM 6,266,880 avgas.exe
1 File(s) 6,266,880 bytes

Directory of D:\PERSONAL\MUSIC\TUTORI~1\COMPUT~1\THECM1~1\CMINTH~1.BAK

08/29/2006 01:45 AM 1,637,146 CM in the House.00.lso
1 File(s) 1,637,146 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe"
90112 May 21 2003 "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
483328 Dec 14 2004 "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
483328 Dec 14 2004 "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\bak\Acrotray.exe"
102400 Dec 31 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
256576 Oct 30 2006 "D:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
6266880 Oct 7 2006 "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
6266880 Oct 7 2006 "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
1637146 Aug 29 2006 "D:\Personal\Music\Tutorials\Computer Music Website\The CM105 Guide to House\CM in the House.bak\CM in the House.00.lso"


end of report
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 19th, 2007, 4:21 pm

Hi,

I understand you're getting popups, you've probably got the Vundo infection which is sending those...

Step 1: Stop process with Task Manager
Press Control+Alt+Del to enter the Task Manager.
Click on the Processes tab and end the following process (if present):

lsasss.exe << Note: This process is bad, it's got 3x 's' at the end. The legit process has got 2x 's' at the end so don't stop that one!

Exit the Task Manager when finished.

Step 2: Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urpnmj.dll",setvm
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Step 3: Show your hidden files
To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon (or click Start, then select My Computer)
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.
Step 4: Delete bad files and folders
Use Explorer to navigate to and delete the following files and folders (if present):

Files:
C:\WINDOWS\urpnmj.dll

C:\WINDOWS\system32\lsasss.exe << Note: This file is bad, it's got 3x 's' at the end. The legit file has got 2x 's' at the end so don't remove that one!

Folders:
C:\Program Files\QuickTime\bak
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\bak
D:\Program Files\iTunes\bak
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak

Now just exit Explorer.

Step 5: Upload a File to Virustotal
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file C:\WINDOWS\system32\modk32.dll
  • Click the Open button
  • Click the Send button
  • Copy/paste the results in a new reply together with a fresh HijackThis log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 19th, 2007, 5:43 pm

John,
i have followed the steps that you highlighted. Here are the results from the virustotal upload and a fresh hijackthis log. Fyi the modk32.dll file appeared and i noticed after a burst of pop ups i am sure you know that...cheers:)
Complete scanning result of "modk32.dll", received in VirusTotal at 03.19.2007, 22:36:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.20.0 03.19.2007 no virus found
AntiVir 7.3.1.43 03.19.2007 no virus found
Authentium 4.93.8 03.17.2007 no virus found
Avast 4.7.936.0 03.19.2007 no virus found
AVG 7.5.0.447 03.19.2007 no virus found
BitDefender 7.2 03.19.2007 no virus found
CAT-QuickHeal 9.00 03.15.2007 no virus found
ClamAV devel-20070312 03.19.2007 no virus found
DrWeb 4.33 03.19.2007 no virus found
eSafe 7.0.14.0 03.19.2007 no virus found
eTrust-Vet 30.6.3491 03.19.2007 no virus found
Ewido 4.0 03.19.2007 no virus found
FileAdvisor 1 03.19.2007 no virus found
Fortinet 2.85.0.0 03.19.2007 suspicious
F-Prot 4.3.1.45 03.17.2007 no virus found
F-Secure 6.70.13030.0 03.19.2007 no virus found
Ikarus T3.1.1.3 03.19.2007 no virus found
Kaspersky 4.0.2.24 03.19.2007 no virus found
McAfee 4987 03.19.2007 no virus found
Microsoft 1.2306 03.19.2007 no virus found
NOD32v2 2127 03.19.2007 no virus found
Norman 5.80.02 03.19.2007 no virus found
Panda 9.0.0.4 03.19.2007 Suspicious file
Prevx1 V2 03.19.2007 Polynomial.Code.Exploit
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 VIPRE.Suspicious
Symantec 10 03.19.2007 no virus found
TheHacker 6.1.6.077 03.19.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.19.2007 no virus found
VirusBuster 4.3.7:9 03.19.2007 Packed/Upack

Aditional Information
File size: 19820 bytes
MD5: 2596535704eb6b24c73ab58ee52ddc37
SHA1: 07b0443032889bad39df0aa200abe0635b264f53
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=5cce83460524
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 2:41:48 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *us.oracle.com; files.oracle.com; oab.uk.oracle.com; *oraclecorp.com; *oracleleads.com; *oracle.com; *oracleportal.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com,oracle.com,oraclecorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com,oracle.com,oraclecorp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com,oracle.com,oraclecorp.com
O20 - Winlogon Notify: kswuag - kswuag.dll (file missing)
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 20th, 2007, 2:27 pm

Hi,

Hmm, lets see if this works :)

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Computer Safety On line - Software Firewalls
I use ZoneAlarm Free Edition (which is free for personal use) but everybody likes something different!

As you did this, we can begin with the fix.

Step 1: Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll

    O20 - Winlogon Notify: kswuag - kswuag.dll (file missing)
    O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Step 2: Configure AVG Anti-Spyware
Please do this to make sure AVG Anti-Spyware is configured right.
  • Open AVG Anti-Spyware
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
IMPORTANT! Do not scan yet with AVG Anti-Spyware! We will do this later.

Step 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 4: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 5: Search and delete file
We need to do a search now.
  • Start
  • Search
  • For Files and Folders
  • Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
  • Paste this into the Search for files and folders named box:

    kswuag.dll
If the file is found please delete it.

Step 6: Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Step 7: Reboot
Your computer will automatically switch to normal mode.

Step 8: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/

Install it, then go to Add Remove Programs and remove any older versions that may remain.

Step 9: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java(TM) SE Runtime Environment 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Step 10: Post logs
Please post the following logs:
  • AVG AS log
  • Fresh HJT log
  • Tell me if you're still having problems/questions

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 22nd, 2007, 2:43 pm

John,
sorry for the delay.But i have followed the steps you mentioned except installing the firewall as my work does not allow us to install firewalls by ourselves. I will be talking to the admin for that matter. Here are the fresh AVG and Hijack this logs. I noticed that even after fixing the modk32.dll file it still did not fix it. As with the kswuag.dll i had gone to AVG when it had found it and told it to clean it which made the file missing and then in your last step hijack this has fixed it and i couldnt find the kswuag.dll in the search step and looks like AVG might have done it for me before i posted my first thread here.
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 11:35:00 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing) - Do i need to fix this it shows file is missing. what does this exe do?

AVG Scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:11:02 AM 3/22/2007

+ Scan result:



:mozilla.48:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.53:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.57:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.19:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.35:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.13:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.14:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.15:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.16:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.70:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.71:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.80:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.81:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.82:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.83:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.84:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.85:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.86:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.36:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

Thanks,
Sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 23rd, 2007, 6:02 pm

Hi,

Lets see if the infection is targeted by this tool :)

Download and Run HaxFix
Download haxfix.exe and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)

Please post haxlog.txt together with a fresh HijackThis log.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 27th, 2007, 4:16 pm

John,
i ran the haxfix tool and the modk32.dll still is present as well the Drivecleaner intaller is present and here are the fresh logs:
HAXFIX logfile - by Marckie

version 4.39
Tue 03/27/2007 13:10:12.73

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
matching notify keys found
modk

checking for matching services
matching services found
CmBatt

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:12:20 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Oracle\Messenger\OracleMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Oracle\RTC Client\3.0.1.421\en\cnsconf.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjjjh.dll",setvm
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)


Finished!
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 29th, 2007, 9:31 am

Hi,

It's good that modk32 is still there because I only told you to scan with HaxFix to see if it targets it. It does :)

Step 1: Run HaxFix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Close the window
Step 2: Remove bad HijackThis entry
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/i ... rstart.cab
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Now do another HJT scan and post the log together with C:\haxfix.txt

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware