Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Please Help


  • This topic is locked This topic is locked
12 replies to this topic

#1 starwarsgeek

starwarsgeek

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 25 August 2007 - 11:23 PM

Hello everyone, I hope you can give me a hand here with this laptop. I've been having all kinds of problems with it lately, from slow performance at startup, to pop up windows galore, and missing dll files to boot.

I downloaded everything as per the "before you post a hijack this log, please do this" steps... as of just now, AdAware, Spybot, Stinger and AVG all show nothing wrong. Took a while, but I ran them all and re-ran them, over again several times.

Anyway, here's my most current hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:30 AM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\hory22011.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\linda\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: 0 - {019673BC-3D9E-4074-DF8E-D017911789D3} - C:\Program Files\Windows NT\lavufave395.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11D2EBEF-052F-4DC9-B25F-497725336833} - C:\WINDOWS\system32\vturo.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\oorjrrsw.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\pmnkjjj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [hory] C:\Program Files\Common Files\hory22011.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\arjpuwue.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188099013609
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pmnkjjj - pmnkjjj.dll (file missing)
O20 - Winlogon Notify: vturo - C:\WINDOWS\system32\vturo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsysypru.html

--
End of file - 8184 bytes


Most of the pop up windows have stopped for the most part, but I have two other issues:

1) When I start up the laptop, I get an error message that says:

C:\Windows\system 32\arjpuwue.dll
specified module could not be found

I've searched google and can't find any information on that file, so I have no idea what it's for.


2) When I start the laptop, right after I get message #1, I get this error:

Script: C:\Program Files\func.js
Line: 76
Char: 1
Error: The system cannot find the file specified
Code: 80070002
Source: (null)

I've also had issues with certain programs in the task manager that use up 99% of my CPU at startup. I can't remember the exact name of the program, but once I went in and killed it, the CPU seemed to be okay.

So, if anyone has any ideas on what to do to stop these errors from continuing, I'll all ears :thumbsup:

Thanks!

EDIT - can someone also please tell me how to get rid of my old system restore points? Because now AVG just constantly pops up a window telling me that a threat has been detected there... for the past 30 minutes I've been clicking "heal" - it's making me crazy!!!

Thanks!!

Edited by starwarsgeek, 26 August 2007 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 26 August 2007 - 05:14 AM

Hello and welcome aboard starwarsgeek :thumbsup:

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

So, please choose between TrendMicro and AVG. As on-demand scanner is fine if you want to keep the other.

Once that is out of the way..

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 starwarsgeek

starwarsgeek
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 26 August 2007 - 10:02 AM

Thanks for responding so quickly, my girlfriend has been driving me crazy (it's actually her laptop, not mine) and I didn't know she had the Trend Micro product on there. It hadn't been used or updated since late '05 so I uninstalled it and kept the AVG since that's what I use on both my desktop and laptop pc and I like it.

Anyway, I downloaded and ran the Combofix, here's the log from that:

ComboFix 07-08-25.2 - "linda" 2007-08-26 10:49:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.93 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\linda\APPLIC~1\install.dat
C:\DOCUME~1\linda\APPLIC~1\WinTouch
C:\Program Files\Common Files\hory22011.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\Windows NT\profsysypru.html
C:\Program Files\winpop
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b104.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\oorjrrsw.dll
C:\WINDOWS\tk58.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 10:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 01:14 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-25 23:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-25 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-24 23:06 <DIR> d-------- C:\$WIN_NT$.~BT
2007-08-24 21:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-24 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-24 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 20:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-08-24 20:05 1,615,186 ---hs---- C:\WINDOWS\system32\orutv.bak2
2007-08-23 17:21 6,473 ---hs---- C:\WINDOWS\system32\orutv.bak1
2007-08-23 17:10 <DIR> d--hs---- C:\WINDOWS\bGluZGE
2007-08-23 17:10 <DIR> d-------- C:\WINDOWS\system32\temps1
2007-08-23 17:10 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-23 17:10 <DIR> d-------- C:\WINDOWS\system32\cofig32
2007-08-14 20:40 <DIR> d-------- C:\Program Files\WinBudget


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 10:52 --------- d-------- C:\Program Files\Windows NT
2007-08-25 22:20 --------- d-------- C:\Program Files\QuickTime
2007-08-25 22:20 --------- d-------- C:\Program Files\Messenger
2007-08-25 22:20 --------- d-------- C:\Program Files\iTunes
2007-08-25 12:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-25 12:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 04:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 04:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 04:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 04:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 04:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\bGluZGE\v35Rt3H.vbs
2006-03-29 19:17:44 56 --sh--r C:\WINDOWS\system32\C00A4DF96F.sys
2006-03-29 19:17:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019673BC-3D9E-4074-DF8E-D017911789D3}]
C:\Program Files\Windows NT\lavufave395.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11D2EBEF-052F-4DC9-B25F-497725336833}]
C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 01:42 C:\WINDOWS\stsystra.exe]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-25 21:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 18:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\profsysypru.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkjjj]
pmnkjjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturo]
C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys


Contents of the 'Scheduled Tasks' folder
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 15:01:02 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 16:03:09 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 17:01:06 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 18:01:03 C:\WINDOWS\Tasks\At15.job
2007-08-25 19:01:04 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 20:01:01 C:\WINDOWS\Tasks\At17.job
2007-08-25 21:01:02 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 22:01:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-26 05:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-25 23:01:02 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-26 00:01:01 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-26 01:00:01 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-26 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-26 03:00:01 C:\WINDOWS\Tasks\At24.job
2007-08-26 06:00:01 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\3FbA7eWy.exe
2007-08-15 21:45:31 C:\WINDOWS\Tasks\At9.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 10:55:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 10:58:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 10:58

--- E O F ---


Thanks again for the help.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 26 August 2007 - 10:38 AM

Uninstall the following under Add/Remove Programs list in Control Panel if found:

WinBudget

====

Then, please open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\orutv.bak1
C:\Program Files\Windows NT\lavufave395.dll
C:\WINDOWS\system32\vturo.dll
C:\Program Files\Windows NT\profsysypru.html
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Folder::
C:\WINDOWS\system32\temps1
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\cofig32
C:\Program Files\WinBudget
C:\WINDOWS\bGluZGE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019673BC-3D9E-4074-DF8E-D017911789D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11D2EBEF-052F-4DC9-B25F-497725336833}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkjjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturo]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply along with a fresh HijackThis log. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 starwarsgeek

starwarsgeek
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 26 August 2007 - 11:10 AM

Thanks so much for the quick response again :thumbsup:

Did those steps, that program wasn't found in the Add/Remove section.

ComboFix log:

ComboFix 07-08-25.2 - "linda" 2007-08-26 11:58:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -4:00]
Command switches used :: C:\Documents and Settings\linda\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\orutv.bak1
C:\Program Files\Windows NT\lavufave395.dll
C:\WINDOWS\system32\vturo.dll
C:\Program Files\Windows NT\profsysypru.html
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\bGluZGE
C:\WINDOWS\bGluZGE\v35Rt3H.vbs
C:\WINDOWS\system32\cofig32
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\temps1
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 10:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 01:14 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-25 23:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-25 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-24 23:06 <DIR> d-------- C:\$WIN_NT$.~BT
2007-08-24 21:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-24 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-24 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 20:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 10:52 --------- d-------- C:\Program Files\Windows NT
2007-08-25 22:20 --------- d-------- C:\Program Files\QuickTime
2007-08-25 22:20 --------- d-------- C:\Program Files\Messenger
2007-08-25 22:20 --------- d-------- C:\Program Files\iTunes
2007-08-25 12:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-25 12:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 04:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 04:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 04:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 04:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 04:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-03-29 19:17:44 56 --sh--r C:\WINDOWS\system32\C00A4DF96F.sys
2006-03-29 19:17:44 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 01:42 C:\WINDOWS\stsystra.exe]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-25 21:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 18:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 12:03:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 12:06:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 12:06
C:\ComboFix2.txt ... 2007-08-26 10:58

--- E O F ---



HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:36 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\linda\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188099013609
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7174 bytes


Thanks :flowers:

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 26 August 2007 - 11:49 AM

Uninstall the following app under Add/Remove Programs list if found:

MyWaySearch
MyWaySearchAssistant


Also delete this folder if found:

C:\Program Files\MyWaySA

Empty recycle bin.

Then please checkfix the following objects with HijackThis if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


Finally,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :thumbsup:

Hi there, stranger!

#7 starwarsgeek

starwarsgeek
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 26 August 2007 - 01:16 PM

WOW, that scan found a lot of junk. I thought we were almost done and it was just about clean :thumbsup:


Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\3598b7.rbf
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\linda\Cookies\linda@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\linda\Cookies\linda@2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\linda\Cookies\linda@2o7[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\linda\Cookies\linda@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\linda\Cookies\linda@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\linda\Cookies\linda@ad.yieldmanager[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\linda\Cookies\linda@ad.yieldmanager[4].txt
Spyware:Cookie/BannerBank Not disinfected C:\Documents and Settings\linda\Cookies\linda@ad10.bannerbank[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\linda\Cookies\linda@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\linda\Cookies\linda@adrevolver[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\linda\Cookies\linda@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\linda\Cookies\linda@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\linda\Cookies\linda@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\linda\Cookies\linda@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[10].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[11].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[12].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[13].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[3].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[4].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[5].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[6].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[7].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[8].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\linda\Cookies\linda@azjmp[9].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\linda\Cookies\linda@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\linda\Cookies\linda@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\linda\Cookies\linda@bfast[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\linda\Cookies\linda@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\linda\Cookies\linda@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\linda\Cookies\linda@burstnet[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\linda\Cookies\linda@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\linda\Cookies\linda@cgi-bin[5].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\linda\Cookies\linda@counter.hitslink[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\linda\Cookies\linda@counter8.sextracker[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\linda\Cookies\linda@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\linda\Cookies\linda@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\linda\Cookies\linda@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\linda\Cookies\linda@doubleclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\linda\Cookies\linda@drivecleaner[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\linda\Cookies\linda@ehg-dig.hitbox[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\linda\Cookies\linda@enhance[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\linda\Cookies\linda@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\linda\Cookies\linda@fastclick[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\linda\Cookies\linda@findwhat[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\linda\Cookies\linda@fortunecity[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\linda\Cookies\linda@gostats[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\linda\Cookies\linda@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\linda\Cookies\linda@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\linda\Cookies\linda@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\linda\Cookies\linda@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\linda\Cookies\linda@overture[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\linda\Cookies\linda@paycounter[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\linda\Cookies\linda@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\linda\Cookies\linda@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\linda\Cookies\linda@realmedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\linda\Cookies\linda@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\linda\Cookies\linda@server.iad.liveperson[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\linda\Cookies\linda@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\linda\Cookies\linda@serving-sys[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\linda\Cookies\linda@sextracker[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\linda\Cookies\linda@stat.onestat[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\linda\Cookies\linda@statse.webtrendslive[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\linda\Cookies\linda@statse.webtrendslive[3].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\linda\Cookies\linda@systemdoctor[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\linda\Cookies\linda@target[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\linda\Cookies\linda@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\linda\Cookies\linda@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\linda\Cookies\linda@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\linda\Cookies\linda@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\linda\Cookies\linda@valueclick[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\linda\Cookies\linda@winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\linda\Cookies\linda@winantispyware[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\linda\Cookies\linda@winantispyware[3].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\linda\Cookies\linda@winantispyware[4].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\linda\Cookies\linda@winantivirus[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\linda\Cookies\linda@www.burstbeacon[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\linda\Cookies\linda@www.drivecleaner[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\linda\Cookies\linda@www.myaffiliateprogram[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\linda\Cookies\linda@www.systemdoctor[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\linda\Cookies\linda@yadro[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\linda\Desktop\ComboFix.exe[nircmd.exe]
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\hory22011.exe.vir
Virus:Generic Trojan Disinfected C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir
Virus:Trj/Downloader.PLQ Disinfected C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir
Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\bGluZGE\v35Rt3H.vbs.vir
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 27 August 2007 - 02:21 AM

Actually that log is looking pretty good :thumbsup: Most is harmless.

Go ahead and delete the following files & folders:

C:\Config.Msi\3598b7.rbf
C:\Documents and Settings\linda\Desktop\ComboFix.exe
C:\QooBox


----------

Go to Start Run type in: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

---------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

---------

Hows the system running now? :flowers:
Hi there, stranger!

#9 starwarsgeek

starwarsgeek
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 27 August 2007 - 08:59 AM

The computer is working so much better now, thank you!! I no longer see any popup windows which is great, and it even seems to be running a little faster.

I couldn't find this file to delete:

C:\Config.Msi\3598b7.rbf

Not sure why but it wasn't in the C: drive, unless I just missed it somehow. I didn't know where else to look for it. Any other way it can be deleted, or is it neccesary to delete it anyway?


Thank you so much again :thumbsup:

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 27 August 2007 - 09:12 AM

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

See if you find it now :thumbsup:

If not doesn't really matter, the file is pretty much harmless.

----

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. It also has immunization and realtime protection included.
Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#11 starwarsgeek

starwarsgeek
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 27 August 2007 - 11:38 AM

I have all those options checked off, and I see that folder, but it's empty ???

Anyway, thanks again for all your help. I guess that means we're done :thumbsup:

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 27 August 2007 - 11:55 AM

In that case you can delete the entire folder. :thumbsup:

Yes we're done. Unless you're having problems.
Hi there, stranger!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 PM

Posted 09 September 2007 - 11:23 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users