Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adclicker-fk


  • This topic is locked This topic is locked
15 replies to this topic

#1 indymhr

indymhr

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 01 November 2007 - 07:49 PM

Hi - first of all thanks for any help you can offer. I have an adclicker-fk trojan. It comes up on my Mcafee enterprise Virusscan alert.
I get the files in pairs. The first is located in my documents and settings/local settings/temp directory and is deleted. The second is
in the same place but the temporary internet files directory and cannot be moved (when I go to look for it I cant find it there. Each time the files are different and seem to be gibberish like
iuhvnnmo.dll, but each time the virus family is the same such as adclicker-fk or vundo. I have tried cleaning the system as you recommended, but have been
unsuccessful. From these efforts, I know I have a file "mljjk.dll" in the system32 folder that I cant delete - one of the scans Identified it as a virus
but also couldnt clean it - it was called adware.virtumonde.GHB. The same program also found "byxyyaa.dll" and couldnt delete it either - it was a
trojan.vundo.DNZ. The problems I have other than my virusscan alert popping up every couple hours with a new infection atempt is that when Im online with
internet explorer - I periodically get a new popup browser window for another site - they vary from nuisance sites to hardcore porn. This doesnt seem to be time
related, as it will occur about every handful of site navigations, but if Im on one page for a while a new window will pop up. I have previously tried to clean this
with the Ewido scanner, Combo fix, fixware, AdAware, Spybot search and Destroy, SpywareBlaster, I tried each of the online scanners - only defender seemed to do
anything - the first lockup up in clean up and the second only scanned it wouldnt clean without upgrading to the pay package. I also ran stinger. I know that
seems like so much rambling, but Im hoping that more info increases the chances for a fix. Anyway - thanks again for any help you can give. I'm posting
my hijack this file below



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32, on 2007-11-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\indlabfs24\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7175 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 02 November 2007 - 03:32 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Then I would like to see a new HijackThis log using the renamed file. Could you also please let me know if you have used McAfee in the past, or if you are still using it?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 08 November 2007 - 07:17 PM

Hi

Sorry for the delay - I have and still do use Mcaffee (Enterprise Virusscan). I renamed Hijackthis as you requested and my "fluffybunny" log is below

Thanks for your help - Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08, on 2007-11-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\dalpbcfg.dll
O2 - BHO: (no name) - {F9DF600E-E77B-4B26-9AD6-36B04E90DD01} - C:\WINDOWS\system32\mljjk.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\julnxbwd.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O20 - Winlogon Notify: byxyyaa - C:\WINDOWS\SYSTEM32\byxyyaa.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8084 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 09 November 2007 - 03:52 PM

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 13 November 2007 - 10:29 AM

Hi Charles
I did as you asked, but I also have more information to provide - this is from before when I did the vundofix and hijackthis scan - I have started getting popup balloons saying my computer is severely infected and I also have two new shortcuts on my desktop - they are "ONLINE SECURITY GUIDE" and "LIFE SAFETY CENTER." Under properties, they have a target of "htepo.com" - from reading about it this seems to be related to virtumonde - I am assuming this is related to my infection - anyway, the two logs are below - thanks again - Mike

vundofix:


VundoFix V6.5.11

Checking Java version...

Scan started at 09:57:15 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\kxuuvxas.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\dalpbcfg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Has been deleted!

Performing Repairs to the registry.
Done!


hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18, on 2007-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O2 - BHO: (no name) - {AEE0EBB0-3187-42FF-98E8-F37D3D800F62} - C:\WINDOWS\system32\mljjk.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\kvkwyfpj.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7819 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 13 November 2007 - 03:40 PM

We'll try another method to remove that file.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right click inside the listbox (white box) and click "Add More Files"
Copy and paste the entries below into the top boxes:

C:\windows\system32\byxyyaa.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your Desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 13 November 2007 - 06:40 PM

Hi again
Unfortunately, that didnt go as smoothly as I could have hoped for - when I started Vundofix, everything was blank. I did a search and nothing came up even though the txt file said it found the byxyyaa.dll file. None of the butons had writing, none of the messages included text. I did as you asked and added the path you directed me to. In the text file it shows multiple attempts to delete the file. I think this is because I added it multiple times because I couldnt see it. Anyway - it still failed to delete the file - everything seemed to work as before only all of the text was gone - I let it try to remove the vundo twice and reboot twice but when my computer came up the second time I closed the vundofix file as the rest of my computer desktop wouldnt load. After this it froze and wouldnt load my desktop - I logged off and logged back on and it was loaded fine.

Here are the files
Thanks again


VundoFix V6.5.11

Checking Java version...

Scan started at 09:57:15 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\kxuuvxas.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\dalpbcfg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 17:57:31 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll

VundoFix V6.5.11

Checking Java version...

Scan started at 18:10:58 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31, on 2007-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6455BB16-13E8-491C-BB0D-7A7401C6B26A} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\kvkwyfpj.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7766 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 14 November 2007 - 04:33 PM

Hello again indymhr.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {6455BB16-13E8-491C-BB0D-7A7401C6B26A} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\kvkwyfpj.dll",b
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\byxyyaa.dll
C:\WINDOWS\system32\kvkwyfpj.dll
C:\WINDOWS\system32\bbsikewc.exe

Copy and paste the following text into Notepad:
sc stop DomainService
sd delete DomainService
Save this as "services.bat". Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Then scan once more with HijackThis and post the log in your reply along with the Combofix report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 15 November 2007 - 07:13 PM

Hi
Ok I have done as you asked - I did the HJT fix - I went into safemode and either those dlls weren't there or I deleted them (with hidden files shown) - I made and ran the batch file and I ran combofix and HJT - Things do seem to be improving as Im not getting popups - anyway here are the logs and again my thanks for all your help

ComboFix 07-11-08.1 - INDLABFS24 2007-11-15 18:37:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -5:00]
Running from: C:\Documents and Settings\indlabfs24\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cjowaxgi.dllbox
C:\WINDOWS\system32\kxuuvxas.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 18:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 09:42 144,480 --a------ C:\WINDOWS\system32\wtdyveqo.dll
2007-11-13 09:39 144,480 --a------ C:\WINDOWS\system32\netsrsax.dll
2007-11-09 09:42 88,128 --a------ C:\WINDOWS\system32\pleqloar.dll
2007-11-07 10:02 653,991 ---hs---- C:\WINDOWS\system32\kjjlm.bak2
2007-11-01 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 19:05 <DIR> d-------- C:\quarantine
2007-11-01 19:05 423,917 ---hs---- C:\WINDOWS\system32\kjjlm.bak1
2007-11-01 18:11 <DIR> d-------- C:\Documents and Settings\indlabfs24\Application Data\Grisoft
2007-11-01 18:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-01 17:42 <DIR> d-------- C:\hijackthis
2007-11-01 11:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-01 10:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-01 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 18:56 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-29 18:56 <DIR> d-------- C:\TEMP\mZOr
2007-10-15 08:10 <DIR> d-------- C:\Program Files\Enterprise Vault

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 18:48 --------- d-----w C:\Program Files\QuickTime
2007-11-01 18:44 --------- d-----w C:\Program Files\Common Files\Altiris
2007-11-01 13:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-03 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-24 14:13 --------- d-----w C:\Program Files\WinPerformance
2007-09-21 13:59 --------- d-----w C:\Program Files\PerfInfo
2007-04-25 23:48 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2005-11-15 20:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-24 08:21 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-09 17:09]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-09 17:09]
"StacSysTray"="C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2003-10-15 19:13]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 23:10]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-07-25 17:56]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-3707\Scripts\Logon\0\0]
"Script"=\\isp.state.in.us\netlogon\capinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-3707\Scripts\Logon\1\0]
"Script"=\\isp.state.in.us\netlogon\empid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-6036\Scripts\Logon\0\0]
"Script"=\\isp.state.in.us\netlogon\empid.exe

R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 OracleIFAAgent;OracleIFAAgent;D:\OracleGM\bin\dbsnmp.exe
R2 OracleIFADataGatherer;OracleIFADataGatherer;D:\OracleGM\bin\vppdc.exe
R2 OracleIFATNSListener;OracleIFATNSListener;D:\OracleGM\BIN\TNSLSNR
R2 OracleServiceIFA;OracleServiceIFA;d:\oraclegm\bin\ORACLE.EXE IFA
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 OracleIFAClientCache;OracleIFAClientCache;D:\OracleGM\BIN\ONRSD.EXE
S3 OracleIFACMAdmin;OracleIFACMAdmin;D:\OracleGM\BIN\CMADMIN.EXE
S3 OracleIFACMan;OracleIFACMan;D:\OracleGM\BIN\CMGW.EXE
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd2ec77-80e4-11db-8b54-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2006-12-01 02:41:26 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-15 22:45:01 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 18:43:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 18:44:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-31 10:10
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08, on 2007-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6616 bytes

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 16 November 2007 - 04:18 PM

Hello again indymhrOpen Notepad - don't use any other text editor or the script will fail.Copy and paste the text in the quotebox below into the document:

File::
C:\WINDOWS\system32\wtdyveqo.dll
C:\WINDOWS\system32\netsrsax.dll
C:\WINDOWS\system32\pleqloar.dll
C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\kjjlm.bak1

Folder::
C:\WINDOWS\system32\Mz02r
C:\TEMP\mZOr

Save this as textfile CFScript.
[/list]Then drag the CFScript into ComboFix.exe as you see in the screenshot below:Posted Image
This will start ComboFix again.
[/list]In your reply I would like the Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 16 November 2007 - 06:50 PM

Hi Charles
I have done as you have requested - it seemed to work. I've attached the combofix log. Thanks again for all your help.

Mike

ComboFix 07-11-08.1 - indlabfs24 2007-11-16 18:38:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.482 [GMT -5:00]
Running from: C:\Documents and Settings\indlabfs24\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\indlabfs24\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\netsrsax.dll
C:\WINDOWS\system32\pleqloar.dll
C:\WINDOWS\system32\wtdyveqo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\mZOr
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.bak2
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\netsrsax.dll
C:\WINDOWS\system32\pleqloar.dll
C:\WINDOWS\system32\wtdyveqo.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 18:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 19:05 <DIR> d-------- C:\quarantine
2007-11-01 18:11 <DIR> d-------- C:\Documents and Settings\indlabfs24\Application Data\Grisoft
2007-11-01 18:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-01 17:42 <DIR> d-------- C:\hijackthis
2007-11-01 11:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-01 10:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-01 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 18:48 --------- d-----w C:\Program Files\QuickTime
2007-11-01 18:44 --------- d-----w C:\Program Files\Common Files\Altiris
2007-11-01 13:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 13:10 --------- d-----w C:\Program Files\Enterprise Vault
2007-10-03 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-24 14:13 --------- d-----w C:\Program Files\WinPerformance
2007-09-21 13:59 --------- d-----w C:\Program Files\PerfInfo
2007-04-25 23:48 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db
2005-11-15 20:32 3,638 ----a-r C:\Program Files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-24 08:21 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-09 17:09]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-09 17:09]
"StacSysTray"="C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2003-10-15 19:13]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 23:10]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-07-25 17:56]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-3707\Scripts\Logon\0\0]
"Script"=\\isp.state.in.us\netlogon\capinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-3707\Scripts\Logon\1\0]
"Script"=\\isp.state.in.us\netlogon\empid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-581718712-1334209306-25656452-6036\Scripts\Logon\0\0]
"Script"=\\isp.state.in.us\netlogon\empid.exe

R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 OracleIFAAgent;OracleIFAAgent;D:\OracleGM\bin\dbsnmp.exe
R2 OracleIFADataGatherer;OracleIFADataGatherer;D:\OracleGM\bin\vppdc.exe
R2 OracleIFATNSListener;OracleIFATNSListener;D:\OracleGM\BIN\TNSLSNR
R2 OracleServiceIFA;OracleServiceIFA;d:\oraclegm\bin\ORACLE.EXE IFA
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 OracleIFAClientCache;OracleIFAClientCache;D:\OracleGM\BIN\ONRSD.EXE
S3 OracleIFACMAdmin;OracleIFACMAdmin;D:\OracleGM\BIN\CMADMIN.EXE
S3 OracleIFACMan;OracleIFACMan;D:\OracleGM\BIN\CMGW.EXE
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd2ec77-80e4-11db-8b54-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2006-12-01 02:41:26 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-12-15 22:45:01 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 18:44:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 18:46:24 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 18:44
.
--- E O F ---

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 17 November 2007 - 05:37 PM

Can I have a little bit of information about how things appear to be running now, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 19 November 2007 - 07:28 PM

Hi

#14 indymhr

indymhr
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 19 November 2007 - 07:31 PM

Oops
hit the wrong key - sorry for the delay - things seem to be running really well - I havent had any pop-ups or virusscan messages in several days (since about two fixes ago) - I hope this means that its taken cared of
Many thanks and let me know what you think
Mike

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 20 November 2007 - 02:53 AM

I think that we're done then- good job :thumbsup:
Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users