i followed your steps. Haxfix reported that it did not find any infections. I went through the step to fix the O16 Drive cleaner entry and am posting the new hijack this log. as you will notice the modk32.dll is still present. another bad news is that last nite while doing some work internet explorer got invoked while i wanted to view a pdf file and the pops ups started again. I killed all the iexplore.exe processes as fast as i could but i think i got infected again with a downloader.conhook and Trojan.Agen.av. I havent taken any action as yet in Ewido and am posting a AVG Report also for you to take a look. Additionally i got a symantec anti virus realtime protection warning at the same time for a Downloader(lientnstaller15_02[1]) in the Temporary files which it said it deleted. I am assuming it is the same downloader Please advise and apologize for the trouble. I have also highlighted the new suspicious entries in the hijack this log:
AVG Ewido report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:07:42 AM 3/29/2007
+ Scan result:
C:\WINDOWS\system32\jkkljjj.dll -> Downloader.ConHook : No action taken.
C:\WINDOWS\system32\rqrrono.dll -> Downloader.ConHook.ah : No action taken.
C:\WINDOWS\jkjjjh.dll -> Trojan.Agent.agv : No action taken.
::Report end
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 9:54:17 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Oracle\Messenger\OracleMessenger.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjjjh.dll",setvm
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
Thanks,
Sachin