Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus: RUNDLL Error Loading w3a6af63.dll Please help!


  • Please log in to reply

#1
cb1511

cb1511

    New Member

  • Member
  • Pip
  • 8 posts
Hello, I have read the required material before posting my logs. Can someone please help!!!

Here is a hijackthis log and a combofix log. Thanks!!!

Logfile of HijackThis v1.99.1
Scan saved at 9:31:04 PM, on 11/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Candice\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ofyqps.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wpc59bb0] RUNDLL32.EXE w3a6af63.dll,n 00659baa000000123a6af63
O4 - HKLM\..\Run: [ms05405795-1801] C:\WINDOWS\ms05405795-1801.exe
O4 - HKLM\..\Run: [win3208795-1801405] C:\WINDOWS\win3208795-1801405.exe
O4 - HKLM\..\Run: [ms0605795-18014] C:\WINDOWS\ms0605795-18014.exe
O4 - HKLM\..\Run: [qykcscn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\qykcscn.dll,ztrtgce
O4 - HKLM\..\Run: [sys0301405795-18] C:\WINDOWS\sys0301405795-18.exe
O4 - HKLM\..\Run: [sys011801405795-] C:\WINDOWS\sys011801405795-.exe
O4 - HKLM\..\Run: [win320995-18014057] C:\WINDOWS\win320995-18014057.exe
O4 - HKLM\..\Run: [ms041405795-180] C:\WINDOWS\ms041405795-180.exe
O4 - HKLM\..\Run: [sys02801405795-1] C:\WINDOWS\sys02801405795-1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: eCDRPOXQ - {94A0BA9E-3E0A-1034-93E2-519C93E66021} - C:\WINDOWS\System32\jz.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\leqqwqr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\System32\tcpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)



Candice - 06-11-01 22:51:23.07 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Candice\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Documents\Settings

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Candice\Application Data\RACLE~1
C:\QooBox\Purity\Documents and Settings\Candice\Application Data\RACLE~1\?racle


((((((((((((((((((((((((((((((( Files Created from 2006-10-01 to 2006-11-01 ))))))))))))))))))))))))))))))))))


2006-11-01 17:51 110,612 --a------ C:\WINDOWS\SYSTEM32\ptdgbcud.exe
2006-11-01 17:22 60,436 --a------ C:\WINDOWS\SYSTEM32\cmlduwwd.dll
2006-11-01 17:22 596,475 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.bak2
2006-10-29 23:42 606,222 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.ini2
2006-10-29 23:25 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-26 09:09 98,324 --a------ C:\WINDOWS\SYSTEM32\xfqqxrlv.dll
2006-10-25 20:36 160,768 --a------ C:\WINDOWS\SYSTEM32\leqqwqr.dll
2006-10-25 20:34 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2006-10-25 20:26 605,583 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.bak1
2006-10-25 20:25 688,180 ---hs---- C:\WINDOWS\SYSTEM32\iiiji.dll
2006-10-25 19:08 973 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-10-25 18:55 94,720 --a------ C:\WINDOWS\SYSTEM32\qykcscn.dll
2006-10-25 18:55 72,704 --a------ C:\WINDOWS\SYSTEM32\nkejwol.dll
2006-10-25 18:54 26,624 --a------ C:\WINDOWS\SYSTEM32\rpcc.dll
2006-10-25 18:54 122,900 --a------ C:\WINDOWS\SYSTEM32\eauhldco.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-01 18:55 47610 --a------ C:\Documents and Settings\Candice\Application Data\wklnhst.dat
2006-10-30 01:10 -------- d-------- C:\Program Files\Common Files
2006-10-30 01:04 6335 --ahs---- C:\Documents and Settings\Candice\Application Data\8D32DF8BD3B84783A0C5FE37E2FC8659.sta
2006-10-30 01:04 17332 --ahs---- C:\Documents and Settings\Candice\Application Data\8D32DF8BD3B84783A0C5FE37E2FC8659.rul
2006-10-30 00:46 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-30 00:46 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-29 23:24 -------- d-------- C:\Program Files\Grisoft
2006-10-27 16:28 -------- d-------- C:\Program Files\MSN
2006-10-26 09:16 -------- d-------- C:\Program Files\ewido anti-malware
2006-10-26 09:11 -------- d---s---- C:\Documents and Settings\Candice\Application Data\Microsoft
2006-10-26 09:11 -------- d-------- C:\Documents and Settings\Candice\Application Data\SearchToolbarCorp
2006-10-25 20:20 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-14 15:16 -------- d-------- C:\Program Files\TotalExcelConverter
2006-10-14 15:16 -------- d-------- C:\Documents and Settings\Candice\Application Data\Softplicity
2006-10-10 12:23 -------- d-------- C:\Program Files\iTunes
2006-10-10 12:23 -------- d-------- C:\Program Files\iPod
2006-10-10 12:22 -------- d-------- C:\Program Files\QuickTime
2006-10-10 12:21 -------- d-------- C:\Program Files\Apple Software Update
2006-08-24 13:31 4700 --a------ C:\Documents and Settings\Candice\Application Data\ViewerApp.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sonic RecordNow!"=""
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Aida"="\"C:\\DOCUME~1\\Candice\\APPLIC~1\\RACLE~1\\spool32.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SysTray"="c:\\Program Files\\ofyqps.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"wpc59bb0"="RUNDLL32.EXE w3a6af63.dll,n 00659baa000000123a6af63"
"ms05405795-1801"="C:\\WINDOWS\\ms05405795-1801.exe"
"win3208795-1801405"="C:\\WINDOWS\\win3208795-1801405.exe"
"ms0605795-18014"="C:\\WINDOWS\\ms0605795-18014.exe"
"qykcscn.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\qykcscn.dll,ztrtgce"
"sys0301405795-18"="C:\\WINDOWS\\sys0301405795-18.exe"
"sys011801405795-"="C:\\WINDOWS\\sys011801405795-.exe"
"win320995-18014057"="C:\\WINDOWS\\win320995-18014057.exe"
"ms041405795-180"="C:\\WINDOWS\\ms041405795-180.exe"
"sys02801405795-1"="C:\\WINDOWS\\sys02801405795-1.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howyvy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d4,01,00,00,00,00,00,00,2c,02,00,00,de,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server"="{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"
"eCDRPOXQ"="{94A0BA9E-3E0A-1034-93E2-519C93E66021}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebawwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiiji
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xdudtt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xdudmm.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xdudtt.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-01 22:52:04.53
C:\ComboFix.txt ... 06-11-01 22:52
C:\ComboFix2.txt ... 06-10-30 01:13
C:\ComboFixu.txt ... 06-10-30 01:21
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

This will take a few steps

Right click Hijackthis.exe and rename it to HJT.exe and post a new hijack log and we can begin the cleanup. Also do the below

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

Edited by loophole, 05 November 2006 - 11:28 PM.

  • 0

#3
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks, Loopole!

I renamed hijackthis and created a new log file. The haxlog is also attached.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:38 AM, on 11/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Candice\Desktop\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3F508AB1-6BBA-C983-6D11-032A0C7AF158} - C:\WINDOWS\System32\nkejwol.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {731452E0-7D32-48AE-ACF4-948B3A175C7F} - C:\WINDOWS\System32\iiiji.dll
O2 - BHO: (no name) - {7DC93A7F-FA15-423A-A238-EF44FBB711AE} - C:\Program Files\MSN\horelo.dll (file missing)
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\eauhldco.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll (file missing)
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\gebawwx.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\cmlduwwd.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ofyqps.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wpc59bb0] RUNDLL32.EXE w3a6af63.dll,n 00659baa000000123a6af63
O4 - HKLM\..\Run: [ms05405795-1801] C:\WINDOWS\ms05405795-1801.exe
O4 - HKLM\..\Run: [win3208795-1801405] C:\WINDOWS\win3208795-1801405.exe
O4 - HKLM\..\Run: [ms0605795-18014] C:\WINDOWS\ms0605795-18014.exe
O4 - HKLM\..\Run: [qykcscn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\qykcscn.dll,ztrtgce
O4 - HKLM\..\Run: [sys0301405795-18] C:\WINDOWS\sys0301405795-18.exe
O4 - HKLM\..\Run: [sys011801405795-] C:\WINDOWS\sys011801405795-.exe
O4 - HKLM\..\Run: [win320995-18014057] C:\WINDOWS\win320995-18014057.exe
O4 - HKLM\..\Run: [ms041405795-180] C:\WINDOWS\ms041405795-180.exe
O4 - HKLM\..\Run: [sys02801405795-1] C:\WINDOWS\sys02801405795-1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: gebawwx - gebawwx.dll (file missing)
O20 - Winlogon Notify: iiiji - C:\WINDOWS\System32\iiiji.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: xdudtt - xdudtt.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: eCDRPOXQ - {94A0BA9E-3E0A-1034-93E2-519C93E66021} - C:\WINDOWS\System32\jz.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\leqqwqr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\System32\tcpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)


HAXFIX logfile - by Marckie
______________
version 4.28
Mon 11/06/2006 11:08:29.73

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
xdud

checking for matching services....
matching services found
CmBatt
xdudtt
xdudmm

checking for matching safeboot services....
matching safeboot services found
xdudtt.sys
xdudmm.sys

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi there

Option 2 haxfix autofix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile in your next post.
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
we will use it in a bit

New combofix log
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by loophole, 06 November 2006 - 03:50 PM.

  • 0

#5
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi again, Loophole. Thanks for all your help! Here is what you requested...


HAXFIX logfile - by Marckie
--------------
version 4.28
Mon 11/06/2006 17:03:25.63

--- Auto Haxdoorfix ---


searching for files:


searching for services....
service xdudtt found
[SWSC] DeleteService SUCCESS
service xdudmm found
[SWSC] DeleteService SUCCESS


--- Goldunfix ---


searching for files:

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

notifykey xdudtt not found


searching for services

service xdudtt not found
service xdudmm not found


searching for safeboot services

safeboot service xdudtt.sys not found
safeboot service xdudmm.sys not found


searching for files

xdudTT.dll exists
deleting xdudTT.dll
xdudTT.dll has been deleted

xdudtt.sys exists
deleting xdudtt.sys
xdudtt.sys has been deleted

xdudmm.sys exists
deleting xdudmm.sys
xdudmm.sys has been deleted


checking for other files

sd.dll exists
deleting sd.dll
sd.dll has been deleted

f87ux.ini exists
deleting f87ux.ini
f87ux.ini has been deleted

ojhaaasdd.dat exists
deleting ojhaaasdd.dat
ojhaaasdd.dat has been deleted


checking for a3d files

ps.a3d
deleting a3d files
a3d files are deleted


Finished



Candice - 06-11-06 17:08:21.23 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Candice\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-11-06 11:08 90,112 --a------ C:\WINDOWS\SYSTEM32\RegDACL.exe
2006-11-06 11:08 7,483 --a------ C:\clean.bat
2006-11-06 11:08 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2006-11-06 11:08 4,096 --a------ C:\WINDOWS\SYSTEM32\reboot.exe
2006-11-06 11:08 38,400 --a------ C:\WINDOWS\SYSTEM32\moveex.exe
2006-11-01 17:22 60,436 --a------ C:\WINDOWS\SYSTEM32\cmlduwwd.dll
2006-11-01 17:22 596,475 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.bak2
2006-10-29 23:42 606,260 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.ini2
2006-10-29 23:25 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-26 09:09 98,324 --a------ C:\WINDOWS\SYSTEM32\xfqqxrlv.dll
2006-10-25 20:36 160,768 --a------ C:\WINDOWS\SYSTEM32\leqqwqr.dll
2006-10-25 20:34 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2006-10-25 20:26 605,583 ---hs---- C:\WINDOWS\SYSTEM32\ijiii.bak1
2006-10-25 20:25 688,180 ---hs---- C:\WINDOWS\SYSTEM32\iiiji.dll
2006-10-25 19:08 973 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-10-25 18:55 94,720 --a------ C:\WINDOWS\SYSTEM32\qykcscn.dll
2006-10-25 18:55 72,704 --a------ C:\WINDOWS\SYSTEM32\nkejwol.dll
2006-10-25 18:54 26,624 --a------ C:\WINDOWS\SYSTEM32\rpcc.dll
2006-10-25 18:54 122,900 --a------ C:\WINDOWS\SYSTEM32\eauhldco.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-06 17:04 -------- d-------- C:\Program Files\HaxFix
2006-11-02 09:49 47610 --a------ C:\Documents and Settings\Candice\Application Data\wklnhst.dat
2006-10-30 01:10 -------- d-------- C:\Program Files\Common Files
2006-10-30 01:04 6335 --ahs---- C:\Documents and Settings\Candice\Application Data\8D32DF8BD3B84783A0C5FE37E2FC8659.sta
2006-10-30 01:04 17332 --ahs---- C:\Documents and Settings\Candice\Application Data\8D32DF8BD3B84783A0C5FE37E2FC8659.rul
2006-10-30 00:46 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-30 00:46 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-29 23:24 -------- d-------- C:\Program Files\Grisoft
2006-10-27 16:28 -------- d-------- C:\Program Files\MSN
2006-10-26 09:16 -------- d-------- C:\Program Files\ewido anti-malware
2006-10-26 09:11 -------- d---s---- C:\Documents and Settings\Candice\Application Data\Microsoft
2006-10-26 09:11 -------- d-------- C:\Documents and Settings\Candice\Application Data\SearchToolbarCorp
2006-10-25 20:20 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-14 15:16 -------- d-------- C:\Program Files\TotalExcelConverter
2006-10-14 15:16 -------- d-------- C:\Documents and Settings\Candice\Application Data\Softplicity
2006-10-10 12:23 -------- d-------- C:\Program Files\iTunes
2006-10-10 12:23 -------- d-------- C:\Program Files\iPod
2006-10-10 12:22 -------- d-------- C:\Program Files\QuickTime
2006-10-10 12:21 -------- d-------- C:\Program Files\Apple Software Update
2006-08-24 13:31 4700 --a------ C:\Documents and Settings\Candice\Application Data\ViewerApp.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sonic RecordNow!"=""
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Aida"="\"C:\\DOCUME~1\\Candice\\APPLIC~1\\RACLE~1\\spool32.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SysTray"="c:\\Program Files\\ofyqps.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"wpc59bb0"="RUNDLL32.EXE w3a6af63.dll,n 00659baa000000123a6af63"
"ms05405795-1801"="C:\\WINDOWS\\ms05405795-1801.exe"
"win3208795-1801405"="C:\\WINDOWS\\win3208795-1801405.exe"
"ms0605795-18014"="C:\\WINDOWS\\ms0605795-18014.exe"
"qykcscn.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\qykcscn.dll,ztrtgce"
"sys0301405795-18"="C:\\WINDOWS\\sys0301405795-18.exe"
"sys011801405795-"="C:\\WINDOWS\\sys011801405795-.exe"
"win320995-18014057"="C:\\WINDOWS\\win320995-18014057.exe"
"ms041405795-180"="C:\\WINDOWS\\ms041405795-180.exe"
"sys02801405795-1"="C:\\WINDOWS\\sys02801405795-1.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howyvy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d4,01,00,00,00,00,00,00,2c,02,00,00,de,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server"="{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"
"eCDRPOXQ"="{94A0BA9E-3E0A-1034-93E2-519C93E66021}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebawwx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiiji
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-06 17:09:10.87
C:\ComboFix.txt ... 06-11-06 17:09
C:\ComboFix11_1_06.txt ... 06-11-01 22:53
C:\ComboFix2.txt ... 06-11-01 22:52
C:\ComboFix3.txt ... 06-10-30 01:13
C:\ComboFixu.txt ... 06-10-30 01:21
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

click >>start>>control panel >>add/remove programs and uninstall the following if present:
BHO Plugin
Happytofind Toolbar



Please run a scan with HijackThis and check the following lines for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {3F508AB1-6BBA-C983-6D11-032A0C7AF158} - C:\WINDOWS\System32\nkejwol.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {731452E0-7D32-48AE-ACF4-948B3A175C7F} - C:\WINDOWS\System32\iiiji.dll
O2 - BHO: (no name) - {7DC93A7F-FA15-423A-A238-EF44FBB711AE} - C:\Program Files\MSN\horelo.dll (file missing)
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\eauhldco.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll (file missing)
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll (file missing)
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\gebawwx.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\cmlduwwd.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ofyqps.exe
O4 - HKLM\..\Run: [wpc59bb0] RUNDLL32.EXE w3a6af63.dll,n 00659baa000000123a6af63
O4 - HKLM\..\Run: [ms05405795-1801] C:\WINDOWS\ms05405795-1801.exe
O4 - HKLM\..\Run: [win3208795-1801405] C:\WINDOWS\win3208795-1801405.exe
O4 - HKLM\..\Run: [ms0605795-18014] C:\WINDOWS\ms0605795-18014.exe
O4 - HKLM\..\Run: [qykcscn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\qykcscn.dll,ztrtgce
O4 - HKLM\..\Run: [sys0301405795-18] C:\WINDOWS\sys0301405795-18.exe
O4 - HKLM\..\Run: [sys011801405795-] C:\WINDOWS\sys011801405795-.exe
O4 - HKLM\..\Run: [win320995-18014057] C:\WINDOWS\win320995-18014057.exe
O4 - HKLM\..\Run: [ms041405795-180] C:\WINDOWS\ms041405795-180.exe
O4 - HKLM\..\Run: [sys02801405795-1] C:\WINDOWS\sys02801405795-1.exe
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: eCDRPOXQ - {94A0BA9E-3E0A-1034-93E2-519C93E66021} - C:\WINDOWS\System32\jz.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\leqqwqr.dll



Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386
Files to delete:
C:\WINDOWS\SYSTEM32\cmlduwwd.dll
C:\WINDOWS\SYSTEM32\ijiii.bak2
C:\WINDOWS\SYSTEM32\ijiii.ini2
C:\WINDOWS\SYSTEM32\xfqqxrlv.dll
C:\WINDOWS\SYSTEM32\leqqwqr.dll
C:\WINDOWS\SYSTEM32\ijiii.bak1
C:\WINDOWS\SYSTEM32\iiiji.dll
C:\WINDOWS\SYSTEM32\winpfg32.sys
C:\WINDOWS\SYSTEM32\qykcscn.dll
C:\WINDOWS\SYSTEM32\nkejwol.dll
C:\WINDOWS\SYSTEM32\rpcc.dll
C:\WINDOWS\SYSTEM32\eauhldco.dll
Folders to delete:
C:\Documents and Settings\Candice\Application Data\SearchToolbarCorp
C:\Program Files\BHO Plugin
C:\Program Files\VSAdd-in
C:\Program Files\WinAntiVirus Pro 2006


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#7
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for your quick reply and your help!! :whistling: Here is the Avenger log and new HJT log you asked for. I tried to run the add/remove programs, but it failed for the BHO plugin and the Happytofind Toolbar was not present as an add/remove option. Thanks again for your help...I hope we are making progress.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wtmmvcxm

*******************

Script file located at: \??\C:\knyxblos.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.
File C:\WINDOWS\SYSTEM32\cmlduwwd.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ijiii.bak2 deleted successfully.
File C:\WINDOWS\SYSTEM32\ijiii.ini2 deleted successfully.
File C:\WINDOWS\SYSTEM32\xfqqxrlv.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\leqqwqr.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ijiii.bak1 deleted successfully.
File C:\WINDOWS\SYSTEM32\iiiji.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\winpfg32.sys deleted successfully.
File C:\WINDOWS\SYSTEM32\qykcscn.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\nkejwol.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\rpcc.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\eauhldco.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\eauhldco.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\eauhldco.dll
Status: 0xc0000034

Folder C:\Documents and Settings\Candice\Application Data\SearchToolbarCorp deleted successfully.
Folder C:\Program Files\BHO Plugin deleted successfully.


Folder C:\Program Files\VSAdd-in not found!
Deletion of folder C:\Program Files\VSAdd-in failed!

Could not process line:
C:\Program Files\VSAdd-in
Status: 0xc0000034



Folder C:\Program Files\WinAntiVirus Pro 2006 not found!
Deletion of folder C:\Program Files\WinAntiVirus Pro 2006 failed!

Could not process line:
C:\Program Files\WinAntiVirus Pro 2006
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 7:55:19 PM, on 11/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Candice\Desktop\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: gebawwx - gebawwx.dll (file missing)
O20 - Winlogon Notify: iiiji - C:\WINDOWS\System32\iiiji.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\System32\tcpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

We are making lots of progress :whistling:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#9
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, Loophole. Much thanks for all your responses today! :whistling: I do feel like we are making progress! Here is the SDFix report and the latest HJT log.


SDFix: Version 1.35
-------------------

Scan run on:
Mon 11/06/2006

Time:
10:31 PM


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Candice\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK
RpcSssvc
TCP and UDP Support
winsck

Path:
----

\??\C:\WINDOWS\System32\MZU_DRV.sys
C:\WINDOWS\System32\RpcSs.exe
C:\WINDOWS\System32\tcpip.exe /winnt
C:\WINDOWS\winsock\csrss.exe


MZU_RK Deleted...
RpcSssvc Deleted...
TCP and UDP Support Deleted...
winsck Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\mini3tone.ini

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED


Logfile of HijackThis v1.99.1
Scan saved at 10:37:29 PM, on 11/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Documents and Settings\Candice\Desktop\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: gebawwx - gebawwx.dll (file missing)
O20 - Winlogon Notify: iiiji - C:\WINDOWS\System32\iiiji.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

We are making alot of progress, just stick with it and we will be done soon :whistling:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

Advertisements


#11
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi :whistling:

Here is the SmitFraudFix report:

SmitFraudFix v2.119

Scan done at 18:38:29.58, Tue 11/07/2006
Run from C:\Documents and Settings\Candice\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Candice


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Candice\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Candice\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Candice\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howyvy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks again for your help, Loophole!
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#13
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi!

Here is the latest round of logs...a report from SmitFraud, an Activescan log, and a HJT log:

SmitFraudFix v2.119

Scan done at 23:13:26.62, Tue 11/07/2006
Run from C:\Documents and Settings\Candice\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\Candice\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» End


Here is the ActiveScan Report:


Incident Status Location

Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Candice\Desktop\Click to Find and Fix Errors.url
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/toolbarsimbar Not disinfected Windows Registry
Adware:Adware/BraveSentry Not disinfected C:\avenger\backup.zip[avenger/BHO Plugin/plugin1.dll]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\avenger\backup.zip[avenger/cmlduwwd.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/iiiji.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/xfqqxrlv.dll]
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\hijackthis\backups\backup-20061106-194259-795.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Candice\Desktop\hijackthis\backups\backup-20061106-194300-929.dll
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\hijackthis\backups\backup-20061106-194544-337.dll
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\hijackthis\backups\backup-20061106-194709-905.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Candice\Desktop\SDFix\apps\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\SDFix\apps\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Candice\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\SDFix.exe[SDFix\apps\swsc.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Candice\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\SmitfraudFix\SmitfraudFix\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Candice\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Candice\Desktop\SmitfraudFix.zip[SmitfraudFix/swsc.exe]
Possible Virus. Not disinfected C:\Program Files\HaxFix\swsc.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Q2FuZGljZQ\kZIRt353tk.vbs
Virus:Trj/Amage.A Disinfected C:\WINDOWS\SYSTEM32\1D2.tmp
Virus:Trj/Amage.A Disinfected C:\WINDOWS\SYSTEM32\1D4.tmp
Virus:Trj/Amage.A Disinfected C:\WINDOWS\SYSTEM32\1D8.tmp
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\9.tmp
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020201.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020203.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020207.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020211.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020215.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020220.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020231.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020240.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020243.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020248.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020251.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020256.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020300.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020303.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020307.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020312.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020316.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020330.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020335.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020339.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020343.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020346.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020351.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020355.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20061027-020358.backup
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/swsc.exe]

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:00 AM, on 11/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Documents and Settings\Candice\Desktop\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: gebawwx - gebawwx.dll (file missing)
O20 - Winlogon Notify: iiiji - C:\WINDOWS\System32\iiiji.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again! :whistling:
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Candice\APPLIC~1\RACLE~1\spool32.exe" -vt yazb
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O20 - Winlogon Notify: gebawwx - gebawwx.dll (file missing)
O20 - Winlogon Notify: iiiji - C:\WINDOWS\System32\iiiji.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Reboot

How is everything running

Edited by loophole, 10 November 2006 - 11:40 PM.

  • 0

#15
cb1511

cb1511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks, loophole!! :blink:

Those entries were removed by Hijackthis.

At startup, things seem to be fairly slow, but after that, everything is running great! I guess the slow startup is due to the additional spyware protection that runs (avg, etc).

Thanks for all your help!!! You saved my computer :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP