I read the tutorials previously and I've used Adaware, Superantispyware, Spybot Search And Destroy, Combofix, VundoFix, Smitfraudfix, RegCleaner, and CCleaner. All of them removed adware, malware, the unwanted toolbar, the trojan downloader, and certain dlls like urspp.dll from my machine, but when I tried to go back online, I got more of the same....the htepo.com links showing up, the windows, etc.
I found a new file called "cbxxyy.dll" and I recognized it as malware from a search, but I can't get rid of it and there's a winlogon key that points to this ddl as well as another on in my HJT log. I ran all the aforementioned programs again before I logged on here for good measure, but I have no idea what's going on and why this cbxxyy.dll file won't delete.
I'm at my wit's end here.....
Here is my HJT log as well as my ComboFix log, Smitfraudfix log, and Vundofix log.
Logfile of HijackThis v1.99.1
Scan saved at 5:24:21 PM, on 10/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
C:\WINNT\system32\lxamsp32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINNT\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINNT\system32\cbxyyaa.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187426248224
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxyyaa - C:\WINNT\SYSTEM32\cbxyyaa.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\System32\dmgpi.exe
---------------------------------------------------
ComboFix 07-10-16.1 - user 10/17/2007 13:05:05.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.51 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-17 13:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_258.dat
2007-10-16 17:34 106 --a------ C:\delete.bat
2007-10-16 17:19 <DIR> d-------- C:\Program Files\CCleaner
2007-10-16 11:48 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-15 17:53 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-10-15 17:23 <DIR> d-------- C:\VundoFix Backups
2007-10-15 13:03 389,184 --a------ C:\WINNT\system32\vrifrcvs.exe
2007-10-14 14:58 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-14 13:00 389,184 --a------ C:\WINNT\system32\bsctsyrn.exe
2007-10-13 13:26 35,840 --a------ C:\WINNT\tsitra77.exe
2007-10-13 13:25 34,304 --------- C:\WINNT\system32\cbxyyaa.dll
2007-09-24 22:46 <DIR> d-------- C:\Memorex Vault
2007-09-19 18:47 167,936 --a------ C:\WINNT\system32\minirec.exe
2007-09-19 18:44 23,600 --a------ C:\WINNT\system32\drivers\TVICHW32.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 18:35 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-16 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 05:32 --------- d-----w C:\Program Files\BroadJump
2007-10-01 04:05 --------- d-----w C:\Program Files\Yahoo!
2007-09-30 03:47 --------- d-----w C:\Documents and Settings\user\Application Data\U3
2007-08-25 00:01 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-08-24 23:59 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-18 17:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-08-18 14:16 --------- d-----w C:\Program Files\LexmarkX63
2007-08-18 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-18 09:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 09:10 --------- d-----w C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2007-08-18 07:28 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-08-18 07:26 --------- d-----w C:\Program Files\7-Zip
2006-10-09 22:56 271 ---h--w C:\Program Files\desktop.ini
2006-10-09 22:56 21,952 ---h--w C:\Program Files\folder.htt
2001-06-19 14:04 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
10/13/07 01:25p 34304 --------- C:\WINNT\system32\cbxyyaa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe" [09/25/06 05:52p]
"LexStart"="" []
"PrinTray"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/01 11:54a]
"lxamsp32.exe"="lxamsp32.exe" [10/21/01 02:12p C:\WINNT\system32\LXAMSP32.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/02 09:26p]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/05 10:02a]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/07 04:46p]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcBtnMgr_X63.exe.lnk - C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe [2001-06-06 15:03:10]
ACMonitor_X63.exe.lnk - C:\Program Files\LexmarkX63\ACMonitor_X63.exe [2001-06-06 15:02:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"= C:\WINNT\system32\cbxyyaa.dll [10/13/07 01:25p 34304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csakj.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyaa]
cbxyyaa.dll 10/13/07 01:25p 34304 C:\WINNT\system32\cbxyyaa.dll
R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S2 Windows Management Service;Windows Management Service;C:\WINNT\System32\dmgpi.exe -service
S3 V90drv;v90drv;C:\WINNT\system32\DRIVERS\v90drv.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 13:06:16
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 10/17/2007 13:07:11
C:\ComboFix2.txt ... 10/17/07 11:11a
C:\ComboFix3.txt ... 10/16/07 09:15p
.
--- E O F ---
---------------------------------------------
SmitFraudFix v2.240
Scan done at 11:17:58.35, Wed 10/17/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=85.255.115.6,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=85.255.115.6,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csakj.exe"
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 5:23:14 PM 10/15/2007
Listing files found while scanning....
C:\WINNT\system32\eihykjby.ini
C:\WINNT\system32\ybjkyhie.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\eihykjby.ini
C:\WINNT\system32\eihykjby.ini Has been deleted!
Attempting to delete C:\WINNT\system32\ybjkyhie.dll
C:\WINNT\system32\ybjkyhie.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 5:31:52 PM 10/15/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 7:32:51 PM 10/15/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 10:11:57 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 10:35:48 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 10:58:24 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 11:04:13 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 11:05:57 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 11:11:17 AM 10/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.10
Checking Java version...
Sun Java not detected
Scan started at 1:03:14 PM 10/17/2007
Listing files found while scanning....
No infected files were found.
Edited by StormShadow, 17 October 2007 - 05:01 PM.