Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Been Hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 tweetelgar

tweetelgar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 11 May 2008 - 05:51 PM

Hi

Hope you can help. I am having a real job ridding my friends PC of a lot of virus which norton couldn't clear. It was showing Trohan.vundo and vundo.b. There was also antispyware master appearing and also a seup_sbd_en.exe showing. I have deinstalled norton and install NOD32 which got rid of 52 items cleaned them. However IE7 browser still get high jacked and you also get the porn pop ups. I have followed your instructions and attach the reports from dss and kaspersky. Hears fingers crossed someone can help

Deckard's System Scanner v20071014.68
Run by SONJA on 2008-05-11 23:29:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-11 22:29:51 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SONJA.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:24, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\ezNTSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\SONJA\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Common Files\AOL\1171048947\ee\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\SONJA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SONJA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\ezShellStart.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {5D9BBA3F-A251-4696-AA60-7BF33D947532} - C:\WINDOWS\system32\ssqRKeCt.dll
O2 - BHO: {80483761-c0d1-b3b8-5024-830d6bcbc636} - {636cbcb6-d038-4205-8b3b-1d0c16738408} - C:\WINDOWS\system32\btbafigr.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\PrevxCSI.exe" /bootupreg
O4 - HKLM\..\Run: [7091e10c] rundll32.exe "C:\WINDOWS\system32\ydsmrnqn.dll",b
O4 - HKLM\..\Run: [BM73a2d290] Rundll32.exe "C:\WINDOWS\system32\posfcelw.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\SONJA\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?3e014ee031134892b4105674f46f3b23
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?3e014ee031134892b4105674f46f3b23
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\WINDOWS\system32\ezNTSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12865 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080509-215528-651 O4 - HKLM\..\Run: [BM73a2d290] Rundll32.exe "C:\WINDOWS\system32\tuaixnae.dll",s
backup-20080509-215528-920 O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\MARTIN\Local Settings\Temporary Internet Files\Content.IE5\WU102TXI\setup_sbd_en[1].exe
backup-20080509-215739-483 O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 o1394bul - c:\documents and settings\martin\local settings\temp\o1394bul.sys
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010003} (PCD5SRVC{8A863ACB-F5F6CC6A-05010003} - PCDR Kernel Mode Service Helper Driver) - c:\program files\pc-doctor 5 for windows\pcd5srvc.pkms <Not Verified; PC-Doctor, Inc.; PC-Doctor for Windows>
S3 w550bus (Sony Ericsson W550 driver (WDM)) - c:\windows\system32\drivers\w550bus.sys (file missing)
S3 w550mdfl (Sony Ericsson W550 USB WMC Modem Filter) - c:\windows\system32\drivers\w550mdfl.sys (file missing)
S3 w550mdm (Sony Ericsson W550 USB WMC Modem Drivers) - c:\windows\system32\drivers\w550mdm.sys (file missing)
S3 w550mgmt (Sony Ericsson W550 USB WMC Device Management Drivers) - c:\windows\system32\drivers\w550mgmt.sys (file missing)
S3 w550obex (Sony Ericsson W550 USB WMC OBEX Interface Drivers) - c:\windows\system32\drivers\w550obex.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 CyberLink Media Library Service - "c:\program files\cyberlink\powercinema\kernel\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
R2 ezntsvc (EasyBits Magic Desktop Services for Windows NT) - c:\windows\system32\ezntsvc.exe <Not Verified; EasyBits Software Corp.; >

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Wireless LAN PCI 802.11 b/g adapter WN5301A
Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&1C88B56&0&40A4
Manufacturer: Liteon
Name: Wireless LAN PCI 802.11 b/g adapter WN5301A
PNP Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&1C88B56&0&40A4
Service: WN5301


-- Scheduled Tasks -------------------------------------------------------------

2008-05-11 20:29:13 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-04-11 and 2008-05-11 -----------------------------

2008-05-11 20:11:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 20:11:47 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 20:11:35 0 d-------- C:\WINDOWS\LastGood
2008-05-11 18:33:27 91712 --a------ C:\WINDOWS\system32\ydsmrnqn.dll
2008-05-11 18:26:46 101952 --a------ C:\WINDOWS\system32\btbafigr.dll
2008-05-11 18:26:45 2112 --a------ C:\WINDOWS\system32\ghxqicct.exe
2008-05-11 18:26:38 98368 --a------ C:\WINDOWS\system32\posfcelw.dll
2008-05-11 18:20:22 0 d-------- C:\Documents and Settings\SONJA\.housecall6.6
2008-05-11 18:12:02 0 d-------- C:\Documents and Settings\SONJA\Application Data\HouseCall 6.6
2008-05-09 21:34:56 0 d-------- C:\Program Files\Trend Micro
2008-05-09 20:08:07 0 d-------- C:\HIJACK
2008-05-09 19:50:24 10880 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-05-09 19:50:16 0 d-------- C:\Program Files\PrevxCSI
2008-05-09 19:50:11 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-09 19:36:21 0 d-------- C:\Documents and Settings\MARTIN\Application Data\ESET
2008-05-09 19:26:41 0 d-------- C:\b2d4657bee1c099cdf162a
2008-05-09 19:25:03 0 d-------- C:\Program Files\Windows Defender
2008-05-09 17:45:31 0 d-------- C:\Documents and Settings\SONJA\Application Data\ESET
2008-05-09 08:40:59 2112 --a------ C:\WINDOWS\system32\lfrnjrxl.exe
2008-05-09 08:40:57 90176 --a------ C:\WINDOWS\system32\qjjankpk.dll
2008-05-09 08:40:44 101440 --a------ C:\WINDOWS\system32\wpsqsyjo.dll
2008-05-09 08:39:28 99904 --a------ C:\WINDOWS\system32\tuaixnae.dll
2008-05-05 20:37:40 0 d-------- C:\trojanclean
2008-05-05 19:50:49 0 d-------- C:\VundoFix Backups
2008-05-05 19:20:42 0 d-------- C:\Program Files\Enigma Software Group
2008-05-05 19:02:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-05 19:02:08 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-05 19:02:08 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-05 19:02:08 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-05 19:02:08 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-05 19:02:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-05-05 19:02:08 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-05 19:02:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-05 19:02:06 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-05 19:02:06 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-05 19:02:06 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-05 19:02:06 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-05 19:02:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-05 19:02:06 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-05 19:02:06 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-05 19:02:06 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-05 19:02:03 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-05 18:19:08 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-05 18:09:52 0 d-------- C:\Program Files\SpyZooka
2008-05-05 18:09:22 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-05 17:27:52 0 d-------- C:\Documents and Settings\SONJA\Application Data\SpywareBot
2008-05-05 14:30:56 0 d-------- C:\Program Files\Lavasoft
2008-05-05 14:30:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 14:25:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 12:04:48 103488 --a------ C:\WINDOWS\system32\nwkcjjyi.dll
2008-04-30 17:44:03 104512 --a------ C:\WINDOWS\system32\jtcjyaoq.dll
2008-04-29 20:39:55 0 d-------- C:\WINDOWS\pss
2008-04-27 14:06:09 343264 --ahs---- C:\WINDOWS\system32\tCeKRqss.ini2
2008-04-27 14:06:03 316096 --a------ C:\WINDOWS\system32\ssqRKeCt.dll
2008-04-20 15:19:45 0 d-------- C:\Documents and Settings\MARTIN\Application Data\Sonic
2008-04-18 11:17:40 238713 --ahs---- C:\WINDOWS\system32\Wyccdccf.ini2
2008-04-17 18:53:41 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-17 18:35:02 201341 --ahs---- C:\WINDOWS\system32\LlUtCMSs.ini2
2008-04-17 18:34:56 315760 --a------ C:\WINDOWS\system32\sSMCtUlL.dll
2008-04-16 17:42:38 6373 --ahs---- C:\WINDOWS\system32\rYISAyxx.ini2
2008-04-16 17:42:31 315712 --a------ C:\WINDOWS\system32\xxyASIYr.dll
2008-04-14 19:08:28 6474 --ahs---- C:\WINDOWS\system32\LVwxayxx.ini2
2008-04-14 19:08:23 315840 --a------ C:\WINDOWS\system32\xxyaxwVL.dll
2008-04-14 17:05:26 6800 --ahs---- C:\WINDOWS\system32\eNpWxGgh.ini2
2008-04-14 17:05:21 315840 --a------ C:\WINDOWS\system32\hgGxWpNe.dll
2008-04-13 16:15:44 6419 --ahs---- C:\WINDOWS\system32\MVEeKRqr.ini2
2008-04-13 16:15:41 315808 --a------ C:\WINDOWS\system32\rqRKeEVM.dll
2008-04-12 17:54:58 320 --ahs---- C:\WINDOWS\system32\hPAbdfii.ini2
2008-04-12 17:54:50 315744 --a------ C:\WINDOWS\system32\iifdbAPh.dll
2008-04-12 09:48:24 320 --ahs---- C:\WINDOWS\system32\hOpqqtwa.ini2
2008-04-12 09:48:14 315744 --a------ C:\WINDOWS\system32\awtqqpOh.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-09 18:34:51 0 d-------- C:\Program Files\MSN Messenger
2008-05-09 17:34:16 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-09 17:31:09 0 d-------- C:\Program Files\Norton Security Scan
2008-05-09 17:30:01 0 d-------- C:\Program Files\Common Files
2008-04-29 17:36:17 0 d-------- C:\Documents and Settings\SONJA\Application Data\WeatherBug
2008-04-11 21:28:04 7154 --ahs---- C:\WINDOWS\system32\Nppqttwa.ini2
2008-04-05 09:14:12 0 d-------- C:\Program Files\Windows Live
2008-04-05 09:12:57 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-03 19:18:41 0 d-------- C:\Documents and Settings\SONJA\Application Data\Yahoo!
2008-04-03 09:52:27 96577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-03 09:51:38 0 d-------- C:\Program Files\HP
2008-03-25 10:19:19 315552 --a------ C:\WINDOWS\system32\awttqppN.dll
2008-03-16 09:44:20 0 d-------- C:\Program Files\Java
2008-03-15 11:20:53 0 d-------- C:\Program Files\iStar
2008-03-14 23:06:03 26 --a------ C:\WINDOWS\winstart.bat
2008-03-14 23:06:03 122 --a------ C:\WINDOWS\tmpdelis.bat
2008-03-14 23:06:03 124 --a------ C:\WINDOWS\tmpcpyis.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D9BBA3F-A251-4696-AA60-7BF33D947532}]
27/04/2008 14:06 316096 --a------ C:\WINDOWS\system32\ssqRKeCt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636cbcb6-d038-4205-8b3b-1d0c16738408}]
11/05/2008 18:26 101952 --a------ C:\WINDOWS\system32\btbafigr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [07/06/2004 15:05 C:\WINDOWS\system32\ftutil2.dll]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [02/06/2005 00:35]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [24/02/2006 19:46]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [22/07/2005 15:14]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [15/02/2006 15:34]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [10/12/2006 21:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/06/2006 05:35]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/01/2007 12:06]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [21/07/2006 17:19]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 17:44]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [05/01/2004 19:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [12/01/2008 19:24]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Windows live Messenger"="msn.com" []
"braviax"="C:\WINDOWS\system32\braviax.exe" []
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [13/03/2008 16:48]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"PrevxCSI"="C:\Program Files\PrevxCSI\PrevxCSI.exe" [09/05/2008 19:50]
"7091e10c"="C:\WINDOWS\system32\ydsmrnqn.dll" [11/05/2008 18:33]
"BM73a2d290"="C:\WINDOWS\system32\posfcelw.dll" [11/05/2008 18:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [31/08/2005 18:11]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [18/05/2007 17:38]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"SmileboxTray"="C:\Documents and Settings\SONJA\Application Data\Smilebox\SmileboxTray.exe" [17/10/2007 11:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [07/04/2006 16:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [02/01/2007 21:40:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableChangePassword"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E54729E8-BB3D-4270-9D49-7389EA579090}"= C:\WINDOWS\system32\EZUPBH~1.DLL [01/10/2006 16:22 49152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqRKeCt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7091e10c]
rundll32.exe "C:\WINDOWS\system32\qjjankpk.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM73a2d290]
Rundll32.exe "C:\WINDOWS\system32\tuaixnae.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1171048947\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc




-- End of Deckard's System Scanner: finished at 2008-05-11 23:39:52 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:34 PM

Posted 12 May 2008 - 01:03 PM

Hello tweetelgar,

Welcome to Bleeping Computer :thumbsup:

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:34 PM

Posted 23 May 2008 - 07:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users