Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Toolbar 7.1 Virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 IcyB

IcyB

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 11 December 2007 - 03:52 AM

I have come down with the Security Toolbar 7.1 virus. I've been trying to get rid of this thing for over 6 hours now. Nothing seems to work. I've done just about everything all the hel topics on google have told me to do. Please help I am open for anything.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:15 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\jmausaob.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\8XI9BD9W\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {2e5cc246-41ea-b179-4ed4-15313b033b01} - {10b330b3-1351-4de4-971b-ae14642cc5e2} - C:\WINDOWS\system32\nxmvinxm.dll
O2 - BHO: (no name) - {4F891ABD-1624-4D0A-8E40-14AB718AEE38} - C:\WINDOWS\system32\jkklj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tysjwfxg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqolki.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tysjwfxg.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174616639687
O17 - HKLM\System\CCS\Services\Tcpip\..\{85089B73-3D0E-40CB-8881-9656E20087DC}: NameServer = 68.2.16.30,68.1.208.30
O20 - Winlogon Notify: ssqolki - C:\WINDOWS\SYSTEM32\ssqolki.dll
O20 - Winlogon Notify: tysjwfxg - C:\WINDOWS\SYSTEM32\tysjwfxg.dll
O23 - Service: DomainService - - C:\WINDOWS\system32\jmausaob.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7750 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 11 December 2007 - 07:53 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum IcyB
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis.exe to a permanent folder on the hard drive such as C:\HJT
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary.
If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 12 December 2007 - 03:20 PM

I am sorry for the alte reply but have been very busy, infact I haven't been home for a couple of days, been spending the night at the dorms at school. I don't want you to think that your hard work has gone unnoticed. I will do all that you said to do when I get back home, then I will post again. Thank You.

BTW-since I posted the hijack this log I've gone ahead and took another members advice and ran superantispayware as well as antismithfraud softeware...should I post another hijack log? Because thsoe changed would not be reflected in the hijack log that I posted in this forum.

I'll post back when I get home either tonight or tommorow...thank you again.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 12 December 2007 - 06:55 PM

Follow the Combofix instructions above please.
Also post a new Hijackthis log.
Posted Image
Posted Image

#5 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 14 December 2007 - 04:29 PM

OK, I went ahead and did everything you said, step by step, however I think I've run into a promblem. When I ran combofix it went through the process smoothly until it got to the deleteing files and folders part...it just stayed on that screen for about an hour. Is it suppose to take that long?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 14 December 2007 - 06:15 PM

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#7 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 15 December 2007 - 06:16 PM

Here it is. Thabk you for your continue dhelp, you are really helpful.

eckard's System Scanner v20071014.68
Run by Compaq_Owner on 2007-12-16 16:09:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:09, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\alllkact.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\HJT\Compaq_Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: {ec10e545-a0fe-51ab-8294-5a9f62363060} - {06036326-f9a5-4928-ba15-ef0a545e01ce} - C:\WINDOWS\system32\kvnkcqdq.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {90DA32D2-116D-4F9D-8B04-E5BB7469912C} - C:\WINDOWS\system32\jkklj.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tysjwfxg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqolki.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tysjwfxg.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [0027b6eb] rundll32.exe "C:\WINDOWS\system32\bgikhbrj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174616639687
O17 - HKLM\System\CCS\Services\Tcpip\..\{85089B73-3D0E-40CB-8881-9656E20087DC}: NameServer = 68.2.16.30,68.1.208.30
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqolki - C:\WINDOWS\SYSTEM32\ssqolki.dll
O20 - Winlogon Notify: tysjwfxg - C:\WINDOWS\SYSTEM32\tysjwfxg.dll
O23 - Service: DomainService - - C:\WINDOWS\system32\alllkact.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6962 bytes

-- Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-16 13:11:05 85568 --a------ C:\WINDOWS\system32\bgikhbrj.dll
2007-12-16 13:08:04 80448 --a------ C:\WINDOWS\system32\kvnkcqdq.dll
2007-12-16 13:07:00 74304 --a------ C:\WINDOWS\system32\alllkact.exe <Not Verified; ; DDC>
2007-12-14 12:57:48 0 d-------- C:\Program Files\Sun
2007-12-14 12:52:30 0 d-------- C:\Program Files\Java
2007-12-14 12:51:51 0 d-------- C:\Program Files\Common Files\Java
2007-12-14 12:27:49 0 d-------- C:\HJT
2007-12-14 11:50:11 80448 --a------ C:\WINDOWS\system32\nmtokcba.dll
2007-12-14 11:49:42 74304 --a------ C:\WINDOWS\system32\xnhoxwas.exe <Not Verified; ; DDC>
2007-12-11 04:02:15 0 d-------- C:\Program Files\honestech
2007-12-11 02:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 02:34:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 02:34:11 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-11 02:11:13 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-11 02:11:13 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-11 02:11:13 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-11 02:11:13 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-11 02:11:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-11 02:11:12 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-11 02:11:12 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-11 02:11:12 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-11 02:11:12 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-11 02:11:12 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-11 02:11:12 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-11 02:11:12 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-11 02:11:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-11 02:11:12 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-11 02:11:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-11 02:06:53 2792 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-11 00:28:18 0 d-------- C:\RootkitNO
2007-12-10 20:18:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 20:07:15 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-10 20:06:31 0 d-------- C:\Program Files\Common Files\Download Manager
2007-12-10 19:55:36 80448 --a------ C:\WINDOWS\system32\nxmvinxm.dll
2007-12-10 19:55:30 85568 --a------ C:\WINDOWS\system32\eetbkrnp.dll
2007-12-10 19:53:04 74304 --a------ C:\WINDOWS\system32\boxehmcy.exe <Not Verified; ; DDC>
2007-12-10 01:20:57 80448 --a------ C:\WINDOWS\system32\usqjmonm.dll
2007-12-10 01:14:44 145984 --a------ C:\WINDOWS\system32\tysjwfxg.dll
2007-12-10 01:14:19 145984 --a------ C:\WINDOWS\system32\qweuqdrf.dll
2007-12-10 01:14:03 74304 -----n--- C:\WINDOWS\system32\jmausaob.exe <Not Verified; ; DDC>
2007-12-09 01:13:28 430596 --ahs---- C:\WINDOWS\system32\jlkkj.ini2
2007-12-09 01:13:21 330848 -----n--- C:\WINDOWS\system32\jkklj.dll
2007-12-09 01:08:29 0 d-------- C:\Program Files\QdrPack
2007-12-09 01:08:24 35840 --a------ C:\WINDOWS\mrofinu72.exe
2007-12-09 01:08:13 36352 -----n--- C:\WINDOWS\system32\ssqolki.dll
2007-12-09 01:08:09 0 d-------- C:\Program Files\QdrDrive
2007-12-09 01:07:57 40183 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2007-11-24 12:42:49 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2007-12-14 12:51:51 0 d-------- C:\Program Files\Common Files
2007-12-11 05:36:04 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2007-12-11 04:02:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-11 02:33:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-10 22:48:37 0 d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-10 01:17:57 0 d-------- C:\Program Files\mIRC
2007-11-24 12:41:53 0 d-------- C:\Program Files\DivX
2007-10-19 17:56:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-19 17:54:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-19 17:54:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-19 17:54:12 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-19 17:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2007-10-19 17:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2007-10-19 17:54:10 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2007-10-18 02:02:34 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06036326-f9a5-4928-ba15-ef0a545e01ce}]
2007-12-16 13:08 80448 --a------ C:\WINDOWS\system32\kvnkcqdq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90DA32D2-116D-4F9D-8B04-E5BB7469912C}]
2007-12-09 01:13 330848 --------- C:\WINDOWS\system32\jkklj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-10 01:14 145984 --a------ C:\WINDOWS\system32\tysjwfxg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-12-09 01:08 36352 --------- C:\WINDOWS\system32\ssqolki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 22:34]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 02:56 C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 13:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-06 22:14]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-06 22:23]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"0027b6eb"="C:\WINDOWS\system32\bgikhbrj.dll" [2007-12-16 13:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 14:53]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-07-17 18:23:48]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\ssqolki.dll [2007-12-09 01:08 36352]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqolki]
ssqolki.dll 2007-12-09 01:08 36352 C:\WINDOWS\system32\ssqolki.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tysjwfxg]
tysjwfxg.dll 2007-12-10 01:14 145984 C:\WINDOWS\system32\tysjwfxg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklj.dll

#8 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 15 December 2007 - 06:51 PM

It also did not give me the second "extra".txt document...only Main.txt

Edited by IcyB, 15 December 2007 - 06:51 PM.


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 December 2007 - 05:11 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\system32\bgikhbrj.dll
C:\WINDOWS\system32\kvnkcqdq.dll
C:\WINDOWS\system32\alllkact.exe
C:\WINDOWS\system32\nmtokcba.dll
C:\WINDOWS\system32\xnhoxwas.exe
C:\WINDOWS\system32\nxmvinxm.dll
C:\WINDOWS\system32\eetbkrnp.dll
C:\WINDOWS\system32\boxehmcy.exe
C:\WINDOWS\system32\usqjmonm.dll
C:\WINDOWS\system32\tysjwfxg.dll
C:\WINDOWS\system32\qweuqdrf.dll
C:\WINDOWS\system32\jmausaob.exe
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jkklj.dll
C:\Program Files\QdrPack
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\ssqolki.dll
C:\Program Files\QdrDrive
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06036326-f9a5-4928-ba15-ef0a545e01ce}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90DA32D2-116D-4F9D-8B04-E5BB7469912C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0027b6eb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqolki]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tysjwfxg]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0


Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 16 December 2007 - 03:00 PM

The first time I ran the program it would not let me copy the text, the whole thing froze up, I had to restart my PC...however it did give me results and alot of things were removed. I did it a second time and found that alot of the .dll that are said not to be found were removed the first time. I am about to do the second part of your instructions.

File/Folder C:\WINDOWS\system32\bgikhbrj.dll not found.
File/Folder C:\WINDOWS\system32\kvnkcqdq.dll not found.
File/Folder C:\WINDOWS\system32\alllkact.exe not found.
File/Folder C:\WINDOWS\system32\nmtokcba.dll not found.
File/Folder C:\WINDOWS\system32\xnhoxwas.exe not found.
File/Folder C:\WINDOWS\system32\nxmvinxm.dll not found.
File/Folder C:\WINDOWS\system32\eetbkrnp.dll not found.
File/Folder C:\WINDOWS\system32\boxehmcy.exe not found.
File/Folder C:\WINDOWS\system32\usqjmonm.dll not found.
C:\WINDOWS\system32\tysjwfxg.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\tysjwfxg.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\qweuqdrf.dll not found.
File/Folder C:\WINDOWS\system32\jmausaob.exe not found.
C:\WINDOWS\system32\jlkkj.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkklj.dll scheduled to be moved on reboot.
File/Folder C:\Program Files\QdrPack not found.
File/Folder C:\WINDOWS\mrofinu72.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqolki.dll
C:\WINDOWS\system32\ssqolki.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ssqolki.dll scheduled to be moved on reboot.
File/Folder C:\Program Files\QdrDrive not found.
File/Folder C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe not found.

Created on 12172007_125650

#11 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 16 December 2007 - 03:10 PM

All steps have been completed.

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:07, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tysjwfxg.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174616639687
O17 - HKLM\System\CCS\Services\Tcpip\..\{85089B73-3D0E-40CB-8881-9656E20087DC}: NameServer = 68.2.16.30,68.1.208.30
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\alllkact.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5524 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 December 2007 - 03:31 PM

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\system32\tysjwfxg.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tysjwfxg.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Exit Hijackthis.

It appears you've no virus protection installed.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#13 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 16 December 2007 - 05:54 PM

OTMoveIt.exe Report
C:\WINDOWS\system32\tysjwfxg.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\tysjwfxg.dll scheduled to be moved on reboot.

Created on 12172007_135939

On the second part, I could not find C:\WINDOWS\system32\tysjwfxg.dll while fixing in hijackthis. I'm figuring this may be because of it being removed above?

Avira Antivirus Report


AntiVir PersonalEdition Classic
Report file date: 2007-12-17 14:26

Scanning for 973809 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: ADAM

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 21:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 20:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 23:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 20:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 22:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 2007-12-14 21:22:14
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 2007-12-14 21:22:15
ANTIVIR3.VDF : 7.0.1.101 18944 Bytes 2007-12-16 21:22:15
AVEWIN32.DLL : 7.6.0.45 3084800 Bytes 2007-12-17 21:22:16
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 18:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 15:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 21:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 2007-08-03 16:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 15:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 20:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 15:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 19:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 20:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 20:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 17:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2007-12-17 14:26

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'VTTimer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'hprblog.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'dvpapi.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\kgbxarpt.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kgbxarpt.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
C:\WINDOWS\system32\ssqolki.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ssqolki.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC

The registry was scanned ( '29' files ).


Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\GL2FSPQD\hctp[1]
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP146\A0011891.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP146\A0011911.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4796efad.qua'!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP146\A0011939.exe
[DETECTION] Is the Trojan horse TR/Dldr.Obfuscatd.BF
[INFO] The file was deleted!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP146\A0011942.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP155\A0015454.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP156\A0015468.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\WINDOWS\system32\jkklj.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kgbxarpt.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ssqolki.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC
[WARNING] The file could not be deleted!
C:\_OTMoveIt\MovedFiles\12172007_124805\WINDOWS\mrofinu72.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\12172007_124805\WINDOWS\system32\bgikhbrj.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\12172007_124805\WINDOWS\system32\eetbkrnp.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\12172007_124805\WINDOWS\system32\qweuqdrf.dll
[DETECTION] Is the Trojan horse TR/Vundo.CA
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\12172007_135939\WINDOWS\system32\tysjwfxg.dll
[DETECTION] Is the Trojan horse TR/Vundo.CA
[INFO] The file was deleted!
Begin scan in 'D:\' <PRESARIO_RP>


End of the scan: 2007-12-17 15:16
Used time: 49:50 min

The scan has been done completely.

5134 Scanning directories
384667 Files were scanned
16 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
11 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
384651 Files not concerned
13748 Archives were scanned
7 Warnings
0 Notes

Yea, I actually was using the antivirus that came with my internet Cox Suite. Before that I had Norton. My Norton expired, and I removed the program, then activated teh dormat Cox Suite...however, the day that I activated Cox Suite I was infected with the virus...I gues sits not very good. I'll stick with Avira for now

Hijackthis Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78E12ECD-BEC5-498C-965C-B81AF3A99C8E} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: {3436ec07-6158-50fa-cdd4-c9d978c6e548} - {845e6c87-9d9c-4ddc-af05-851670ce6343} - C:\WINDOWS\system32\jtbfcdqe.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tysjwfxg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqolki.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [0027b6eb] rundll32.exe "C:\WINDOWS\system32\kgbxarpt.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174616639687
O17 - HKLM\System\CCS\Services\Tcpip\..\{85089B73-3D0E-40CB-8881-9656E20087DC}: NameServer = 68.2.16.30,68.1.208.30
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqolki - C:\WINDOWS\SYSTEM32\ssqolki.dll
O20 - Winlogon Notify: tysjwfxg - tysjwfxg.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7060 bytes

#14 IcyB

IcyB
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 16 December 2007 - 06:01 PM

OK their are still severqal problem. the Avira Anti Virus continues to detect the following two virus's constantly...at least every two minutes. C:\WINDOWS\system32\jkklj.dll TR/vundo.Gen & C:\WINDOWS\system32\ssqolki.dll TR/Drop.Agent.JC (these are not copies and pasted so theur may be a typo).

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 December 2007 - 06:04 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\jtbfcdqe.dll
C:\WINDOWS\system32\ssqolki.dll
C:\WINDOWS\system32\kgbxarpt.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users