Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer, yieldmanager popups [RESOLVED]


  • This topic is locked This topic is locked

#1
keisiuho

keisiuho

    Member

  • Member
  • PipPip
  • 21 posts
I have run Ad-aware, spybot, ewido but still can't remove it. The popup comes out especially when my computer is loading heavily and so that makes it hang quite often. I've seen a lot posts here about that and it seems there is no software that can remove it. Can someone help me please?

This is the log:

Logfile of HijackThis v1.99.1
Scan saved at 18:39:16, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\msnshell\BIN\MSNShell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\csaa\srai.exe
C:\WINDOWS\system32\rυndll32.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Sleipnir\Sleipnir.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A05123D-FAA7-A472-A5C6-806DD637B6CE} - C:\WINDOWS\system32\gibu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\BIN\MSNShell.exe autorun
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Uahe] "C:\Program Files\csaa\srai.exe" -vt ndrv
O4 - HKCU\..\Run: [Qipido] C:\WINDOWS\system32\r£ondll32.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc7/games10.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {2A05123D-FAA7-A472-A5C6-806DD637B6CE} - C:\WINDOWS\system32\gibu.dll
O4 - HKCU\..\Run: [Uahe] "C:\Program Files\csaa\srai.exe" -vt ndrv
O4 - HKCU\..\Run: [Qipido] C:\WINDOWS\system32\r?ondll32.exe


Locate and delete the following:

C:\Program Files\Sleipnir\ - if you know what this program is for and want to keep it, then leave it alone
C:\WINDOWS\system32\gibu.dll
C:\Program Files\csaa\
C:\WINDOWS\system32\r?ondll32.exe - the ? can be any character, but look for a file that begins with an R and ends with ONDLL32.EXE


Do a search for r?ndll32.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#3
keisiuho

keisiuho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The question mark in r?ondll32.exe is actually the sterling sign. But I can't find any file like this except rundll32.exe which I think is safe.

I have kept C:\Program Files\Sleipnir\ as it is my browser which I have used for more than 1 year without problems.

I did delete C:\Program Files\csaa\ but after reboot to my surprise it is still there. It seems the most suspicious.

Here are the logs:

Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:  10:04:00, 09/10/2005
+ Report-Checksum:  1F9A18DA

+ Scan result:

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0061806.dll -> TrojanSpy.ProAgent.121 : Cleaned with backup
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0061807.exe -> TrojanDownloader.Small.Ic : Cleaned with backup


::Report End


Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:00, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A05123D-FAA7-A472-A5C6-806DD637B6CE} - C:\WINDOWS\system32\gibu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\BIN\MSNShell.exe autorun
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Uahe] "C:\Program Files\csaa\srai.exe" -vt ndrv
O4 - HKCU\..\Run: [Qipido] C:\WINDOWS\system32\r£ondll32.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc7/games10.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hmm...still there..

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {2A05123D-FAA7-A472-A5C6-806DD637B6CE} - C:\WINDOWS\system32\gibu.dll
O4 - HKCU\..\Run: [Uahe] "C:\Program Files\csaa\srai.exe" -vt ndrv
O4 - HKCU\..\Run: [Qipido] C:\WINDOWS\system32\r?ondll32.exe


Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\gibu.dll
C:\Program Files\csaa\srai.exe
C:\WINDOWS\system32\r?ondll32.exe


If you get a PendingOperations message, just close it and restart your computer manually.

Restart and run a new HijackThis scan. Save the log file and post it here. See if you can still find this folder (delete if found):

C:\Program Files\csaa\
  • 0

#5
keisiuho

keisiuho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
C:\WINDOWS\system32\r?ondll32.exe is actually C:\WINDOWS\system32\rundll32.exe which is a system file. So I have kept it.

C:\WINDOWS\system32\gibu.dll is deleted.
C:\Program Files\csaa\srai.exe is still there even I deleted it with KillBox or HijackThis. So I deleted manually but after reboot, it still exists. How do I know which programme creates it?

This is the log after the attempts above:

Logfile of HijackThis v1.99.1
Scan saved at 07:57:47, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\msnshell\BIN\MSNShell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\WINDOWS\system32\rυndll32.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\BIN\MSNShell.exe autorun
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Qipido] C:\WINDOWS\system32\r£ondll32.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: ImageUploader - http://www.zorpia.co...ageUploader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc7/games10.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Seems like that csaa folder is not showing up in the log though but that r?ondll32.exe is still there. I know you said it's rundll32.exe, but according to the log, there is an extra letter o in there.

Please run the Kapersky Online Scanner and post back what it found.
  • 0

#7
keisiuho

keisiuho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Now I have deleted the registry for r?ondll.exe.

Here is the log after the scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 10, 2005 23:21:29
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/10/2005
Kaspersky Anti-Virus database records: 144063
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
J:\

Scan Statistics:
Total number of scanned objects: 85019
Number of viruses found: 11
Number of infected objects: 56
Number of suspicious objects: 6
Duration of the scan process: 5538 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy16.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy16.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip/trkgif.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2a83499b-3e50f88c.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2a83499b-3e50f88c.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2a83499b-3e50f88c.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2a83499b-3e50f88c.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2a83499b-3e50f88c.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-40283495.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-40283495.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-40283495.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-40283495.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3821a986-40283495.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4273ab84-769683c8.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4273ab84-769683c8.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4273ab84-769683c8.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4273ab84-769683c8.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4273ab84-769683c8.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-36ffd3e8.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-36ffd3e8.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-36ffd3e8.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-36ffd3e8.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-36ffd3e8.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-130c748f-2ffa68eb.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-130c748f-2ffa68eb.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-130c748f-2ffa68eb.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-130c748f-2ffa68eb.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27f12750-2b80cb2c.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27f12750-2b80cb2c.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27f12750-2b80cb2c.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27f12750-2b80cb2c.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4a2926ec-4b318ba9.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4a2926ec-4b318ba9.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4a2926ec-4b318ba9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4a2926ec-4b318ba9.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c6d80ec-7c54546f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c6d80ec-7c54546f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c6d80ec-7c54546f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c6d80ec-7c54546f.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-16635022.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-16635022.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-16635022.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69430f0d-16635022.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-1363d1f8.zip/Beyond.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-1363d1f8.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-1363d1f8.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-1363d1f8.zip Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-54d02658-32f13704.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-54d02658-32f13704.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-54d02658-32f13704.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv645.jar-54d02658-32f13704.zip Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv691.jar-5d20036f-1f23dabc.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv691.jar-5d20036f-1f23dabc.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv691.jar-5d20036f-1f23dabc.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv691.jar-5d20036f-1f23dabc.zip Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv730.jar-7bb1375-2dc6ea51.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv730.jar-7bb1375-2dc6ea51.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv730.jar-7bb1375-2dc6ea51.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\Lucas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv730.jar-7bb1375-2dc6ea51.zip Infected: Trojan.Java.ClassLoader.d

Scan process completed.


  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Delete everything found in this folder -> C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\

Restart and run a new Kapersky scan. Post that log here along with a new HijackThis log.
  • 0

#9
keisiuho

keisiuho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Many thanks! The ad has not come up these 2 days so I guess it is gone. The culprit seems to be R?ondll.exe but the registry in HijackThis is actually referring to the one running Rundll.exe. Anyway I have deleted it. But does it do any harm to the system?
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The one in HijackThis is referring to r?ondll32.exe though. If it's gone now, it's ok.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP