Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer problem [RESOLVED]


  • This topic is locked This topic is locked

#1
ethanshoe

ethanshoe

    Member

  • Member
  • PipPip
  • 19 posts
Hello,
Over the last couple of weeks I have been getting the annoying winfixer pop ups. I have run all sorts of scanners, spy sweepers and my favorite spy bot search and destroy; however after all that, even after these programs say that it is removed, winfixer keeps popping up. Here is my hijack this log, please, i need your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:45 AM, on

9/2/2005
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common

Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton

AntiVirus\SAVScan.exe
C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common

Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common

Files\Symantec Shared\Security

Center\SymWSC.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI

Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program

Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common

Files\Dell\EUSW\Support.exe
C:\Program Files\Common

Files\Symantec Shared\ccApp.exe
C:\Program

Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
C:\Program

Files\iTunes\iTunesHelper.exe
C:\Program

Files\Dell\Support\Alert\bin\Notify

Alert.exe
C:\Program

Files\Dell\AccessDirect\DadApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.e

xe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program

Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ethan

Shoe\Desktop\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dell.com
R0 -

HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.hotmail.com/
R1 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dell.com
R0 -

HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.dell.com
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0

B3} - C:\Program

Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D794248

4F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object -

{827DC836-DD9F-4A68-A602-5812EB50A8

34} - C:\WINDOWS\system32\rqrqn.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B0848

72} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) -

{BA52B914-B692-46c4-B683-905236F6F6

55} - (no file)
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1

D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange]

Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG]

BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr]

C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh]

C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA]

C:\Program Files\ATI

Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet]

C:\Program

Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry]

C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient]

C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp]

"C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program

Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Symantec

NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [ViewMgr]

C:\Program

Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper]

"C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DadApp]

C:\Program

Files\Dell\AccessDirect\DadApp.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler

V3.exe
O4 - Startup: PowerReg

Scheduler.exe
O4 - Global Startup: Adobe Reader

Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O8 - Extra context menu item:

E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11

\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C6085

01} -

C:\WINDOWS\System32\msjava.dll

(file missing)
O9 - Extra 'Tools' menuitem: Sun

Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C6085

01} -

C:\WINDOWS\System32\msjava.dll

(file missing)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A82

63} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIE

BAR.DLL
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318A

FE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7956

83} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem:

Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7956

83} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF:

{11260943-421B-11D0-8EAC-0000C07D88

CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.

cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF7

00} (Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlink/?lin

kid=39204
O16 - DPF:

{3DA5D23B-EFE1-4181-ADB7-7D457567AA

CA} (TGOnlineCtrl Class) -

http://zone.msn.com/bingame/pacz/de

fault/pandaonline.cab
O16 - DPF:

{3FE16C08-D6A7-4133-84FC-D5BFB4F7D8

86} (WebGameLoader Class) -

http://zone.msn.com/bingame/rtlw/de

fault/ReflexiveWebGameLoader.cab
O16 - DPF:

{4F1E5B1A-2A80-42CA-8532-2D05CB9595

37} (MSN Photo Upload Tool) -

http://by12fd.bay12.hotmail.msn.com

/resources/MsnPUpld.cab
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B

61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/

2004061001/housecall.trendmicro.com

/housecall/xscan53.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-2203131755

92} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v1

0/ZIntro.cab34246.cab
O16 - DPF:

{D719897A-B07A-4C0C-AEA9-9B663A28DF

CB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuit

e.net/detection/ITDetector.cab
O16 - DPF:

{D77EF652-9A6B-40C8-A4B9-1C0697C6CF

41} (TikGames Online Control) -

http://zone.msn.com/bingame/gold/de

fault/gf.cab
O16 - DPF:

{DAF5D9A2-D982-4671-83E4-0398706A5F

6A} (SCEWebLauncherCtl Object) -

http://zone.msn.com/bingame/hsol/de

fault/SCEWebLauncher.cab
O16 - DPF:

{DF780F87-FF2B-4DF8-92D0-73DB16A154

3A} (PopCapLoader Object) -

http://zone.msn.com/bingame/zuma/de

fault/popcaploader_v5.cab
O20 - Winlogon Notify: rqrqn -

C:\WINDOWS\system32\rqrqn.dll
O23 - Service: Ati HotKey Poller -

Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event

Manager (ccEvtMgr) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password

Validation (ccPwdSvc) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings

Manager (ccSetMgr) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: iPod Service

(iPodService) - Apple Computer,

Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus

Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program

Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking

Service (SBService) - Symantec

Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIP

T~1\SBServ.exe
O23 - Service: Symantec Network

Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper

Engine (svcWRSSSDK) - Webroot

Software, Inc. - C:\Program

Files\Webroot\Spy

Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service

(SymWSC) - Symantec Corporation -

C:\Program Files\Common

Files\Symantec Shared\Security

Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown

owner -

C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please repost your log - turn off wordwrap.
  • 0

#3
ethanshoe

ethanshoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Sorry about that


Logfile of HijackThis v1.99.1
Scan saved at 10:00:38 AM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell\AccessDirect\DadApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ethan Shoe\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\rqrqn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\DadApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O20 - Winlogon Notify: rqrqn - C:\WINDOWS\system32\rqrqn.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download VundoFix.zip to your desktop.
  • Double-click VundoFix.zip and extract it to your C:\ directory.
  • Copy the instructions below and paste them into Notepad for reference.
    • All other windows need to be closed while doing this fix!
  • Navigate to the new folder C:\VundoFix
  • Double click on KillVundo.bat
    • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
  • Please press any key to continue.
  • Wait for HiJackThis to open.
  • When HiJackThis opens, click Scan. Place a check next to the following items, if found:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\rqrqn.dll
    O20 - Winlogon Notify: rqrqn - C:\WINDOWS\system32\rqrqn.dll


  • Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.
You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix
  • 0

#5
ethanshoe

ethanshoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,

Here is the new hijackthis log and the other text file

Logfile of HijackThis v1.99.1
Scan saved at 8:34:10 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ethan Shoe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\DadApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE





Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 708 'smss.exe'
Threads [712][716][720]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 832 'winlogon.exe'
Sucessfully Deleted
  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Looks better - how is it running now?
  • 0

#7
ethanshoe

ethanshoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi,

Things seem to be running fine. Thank you so much for the help!!! You are great!

Cheers

ethanshoe
  • 0

#8
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You're welcome - glad to help :tazz:

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP