Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with Viruses & Trojan Dwnldrs 2 numerous 2 list


  • This topic is locked This topic is locked
2 replies to this topic

#1 The AXEMan

The AXEMan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 11 January 2009 - 12:11 PM

I hobby with PC's. Sorta do what you guys do nationally but locally only. I do free hardware & software repair/support for those who need it. I also use donated/trashed stuff to build and give away desktops. Poor kids and seniors are my usuals although I do free stuff for others as well. Here's my current project: Laptop from secretary where I work. Not booting upon receipt. Worked through it until after removal of tons of viruses and trojan dwnldrs am left with following; (1) Spybot can not remove Wildtangent (3) entries PUPS (2) IE 7 works but something hijacks and opens (1) or (2) pages sometimes indiscriminately and always after initiating a search of any kind. One looks to be an "empty" browser page/window (note: not in a tab but a seperate window)
with no menu, address bar or anything else. It's just an empty "shell" with Windows Internet explorer in the Header and nothing else. The second varies but is most often looking for <hxxp://url.adtrgt.com>. It should be noted adaware and avg find nothing. Firewall and auto Updates have all been fixed. Also this started because McAfee was not renewed and not replaced either. Further it (the subsequent infection) apparently was allowed to fester until it actually totally killed the unit, blocking initial attempts to boot even into safe mode. Works now with only the aforementioned problems remaining. I might note here that I have never, until the last year (2008) seen infections as complex or as difficult to remove before. What a wonderful place the Internet was before they made it "Pretty" and then "Commercialized" it. PARADISE LOST! Again! Thanks for your help! Here's the log you requested and please find attached the other file in zipped format also as requested.


DDS (Ver_09-01-07.01) - NTFSx86
Run by J.Hymel at 9:22:30.73 on Sun 01/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.503 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\J.Hymel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061120
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {128f2d9f-d99f-464c-b31b-5fc9ec72d80b} - c:\windows\system32\awvtq.dll
BHO: {382f70fd-ea02-0948-2a84-b64c95cab0e3}: {3e0bac59-c46b-48a2-8490-20aedf07f283} - c:\windows\system32\itiebh.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d531fcc-f7d3-498f-8bcc-9a92bbcf1e2f} - c:\windows\system32\jdcxrrwj.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {8e7c52e7-504e-4eb8-a0da-7ede7b499028} - c:\windows\system32\jdcxrrwj.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {cb6c951f-cfbb-49ef-bc65-5e9278942414} - c:\windows\system32\qoMccbax.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Filter: text/html - {e8ed0183-f37f-4bc9-9cdb-80f347afb406} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: awvtq - c:\windows\system32\awvtq.dll
Notify: gebbbcb - gebbbcb.dll
Notify: igfxcui - igfxdev.dll
Notify: ljjkijk - ljjkijk.dll
Notify: yayywwu - yayywwu.dll
AppInit_DLLs: ,avgrsstx.dll itiebh.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMccbax

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-7 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-7 26824]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-7 231704]
S3 DCamUSBSTK016;STK016 Camera;c:\windows\system32\drivers\STK016W2.sys [2003-10-4 99476]
S3 spotJ;Spot Software GPS USB Driver;c:\windows\system32\drivers\spotJ.sys [2006-12-25 34304]
S4 Service_v1;Service Configurator;"c:\windows\config\service.exe" --> c:\windows\config\service.exe [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-10 09:21 85,984 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-10 07:29 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-07 13:02 23,444 a------- c:\windows\system32\emptyregdb.dat
2008-11-05 07:52 170 a------- c:\docume~1\j61e3~1.hym\applic~1\wklnhst.dat
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2006-12-30 23:54 88 a--shr-- c:\windows\system32\4F4B5E943A.sys
2007-06-26 20:34 2,056,726 a--sh--- c:\windows\system32\jjkkj.bak1
2007-06-27 20:35 1,869,433 a--sh--- c:\windows\system32\jjkkj.bak2
2006-12-30 23:54 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-05-01 16:30 1,375,228 a--sh--- c:\windows\system32\qtvwa.bak1
2007-05-08 05:17 1,502,454 a--sh--- c:\windows\system32\qtvwa.bak2

============= FINISH: 9:23:40.87 ===============

PS:I have downloaded and studied Hijack this and have obtaind a log file but have not posted it here nor used it to make any changes as this was not requested in the pre-instructions for the site. It (the log) is available upon request. Thanks again for you time and concern in providing this assistance. yOU ARE APPRECIATED1

Attached Files


Edited by Orange Blossom, 11 February 2013 - 03:45 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 The AXEMan

The AXEMan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 13 January 2009 - 11:33 PM

Moderator please close this thread. I have completely resolved the remaining problems and have since returned the laptop to the secretary who by now has delighted her daughter with her repaired/disinfected unit. Further assistance will not be neccessary. Thank your team for being there as an option. Sometimes knowing you have a fail-safe is enough to free your mind up to solve a problem. I really admire what you guys do especially when I consider the scale you do it on. Sooooooooooooo thanks again.
The AXEMan!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:49 PM

Posted 19 January 2009 - 08:31 AM

Thank you for informing us and for the kind words too.

Good luck.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users