Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spyware infested Dell4300s Win XP SP2


  • Please log in to reply
1 reply to this topic

#1 TechPerson

TechPerson

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 AM

Posted 08 February 2009 - 12:14 AM

I have run a Kaspersky removal tool (of dec 2008 - it was the newest I had at the time) it found about 15 items to remove. Then installed AVG Free 8, which has found additional items, and also installed and ran Windows Defender (though initially, it refused to update itself, so I updated manually with the mpas.exe direct from MS Malware) It too found some items.

Defender scan logs seem to have been deleted by latest Defender update. :thumbup2:
AVG Shield items found: Trojan horse Generic11.ZUE, Generic11.AYCF, Generic.VEY, Vundo.ER, Small.AQN and Downloader.QX.

Yet even after all this, still popup windows happen.

Also, each restart presents two alleged alerts:
missing windows\system32\rlbaeoqs.dll (which file does NOT exist on the computer)
missing windows\system32\byicpxym.dll (which file does NOT exist on the computer)

I am trying to get the computer fixed and updated to SP3, but am now debating whether it is better to try to fix, or bite the bullet and do a wipe and reinstall windows....

Here is the DDS Hijack log. Thank you in advance.
(I dont know if you want the HiJackThis202 log text, which seems a bit different than DDS.txt. I will just paste it into the bottom below DDS. Thx.)

- TechHarmony. ;)

----------------------------------------------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by JClerk at 20:56:08.98 on Sat 02/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.387 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Search Everything\Everything.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JClerk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Research: {037c7b8a-151a-49e6-baed-cc05fcb50328} - c:\windows\system32\winsrc.dll
BHO: {d78c74bb-a26a-51ab-8314-b57e5aad5fd1}: {1df5daa5-e75b-4138-ba15-a62abb47c87d} - c:\windows\system32\kpgtbl.dll
BHO: {235b90d6-cb93-40a6-8f1a-af422ada9637} - c:\windows\system32\ddcCUopQ.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {61aed1ac-d84d-4c09-8583-9405341551a3} - c:\windows\system32\pmnmkhFw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [b8a08acc] rundll32.exe "c:\windows\system32\rlbaeoqs.dll",b
mRun: [BMbb93b950] Rundll32.exe "c:\windows\system32\byicpxym.dll",s
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Everything] "c:\program files\search everything\Everything.exe" -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234061003125
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: {1BDA4254-388D-4EEE-9C0A-5CC47C2EDF5A} = 208.67.222.222,208.67.220.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: ddcCUopQ - ddcCUopQ.dll
AppInit_DLLs: kpgtbl.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {235b90d6-cb93-40a6-8f1a-af422ada9637} - c:\windows\system32\ddcCUopQ.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnmkhFw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jclerk\applic~1\mozilla\firefox\profiles\5gpm2ko3.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-7 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-7 26824]
R1 is-43BOMdrv;is-43BOMdrv;c:\windows\system32\drivers\34567013.sys [2009-2-7 148496]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-7 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-7 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-7 76040]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2005-2-27 281856]

=============== Created Last 30 ================

2009-02-07 20:28 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-07 20:28 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-07 20:27 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-07 20:27 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-07 20:27 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-07 20:27 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-07 20:27 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-07 20:27 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-07 20:27 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-07 20:15 <DIR> --d----- c:\windows\network diagnostic
2009-02-07 19:55 1,355 a------- c:\windows\imsins.BAK
2009-02-07 19:26 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-07 19:01 <DIR> --d----- c:\program files\PrintKey2000
2009-02-07 18:36 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-07 18:23 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-07 18:23 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-07 18:23 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-07 18:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-07 18:22 <DIR> --d----- c:\program files\AVG
2009-02-07 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-07 18:07 <DIR> --d----- c:\program files\Search Everything
2009-02-07 17:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-07 17:35 <DIR> --d----- c:\program files\Tools
2009-02-07 17:32 <DIR> --d----- c:\program files\CCleaner
2009-02-07 15:24 <DIR> --d----- c:\program files\Eraser
2009-02-07 15:07 148,496 a------- c:\windows\system32\drivers\34567013.sys
2009-02-07 14:42 8,925,216 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-07 14:42 101,156 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-07 14:36 <DIR> --d----- c:\program files\Trend Micro
2009-02-07 14:27 <DIR> --d----- C:\Bruce Young Tools Folder
2009-02-07 14:04 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-02-07 14:04 <DIR> --d----- c:\program files\Belarc
2009-02-07 13:26 1,573,191 a--sh--- c:\windows\system32\sqoeablr.ini
2009-02-07 13:24 102,912 a------- c:\windows\system32\kpgtbl.dll
2009-02-07 13:24 102,912 a------- c:\windows\system32\xeubvnro.dll
2009-02-03 21:22 1,573,182 a--sh--- c:\windows\system32\oiyxvycu.ini

==================== Find3M ====================

2009-02-07 18:25 1,530 a--sh--- c:\windows\system32\wFhkmnmp.ini2
2008-12-11 03:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2001-07-26 16:58 47 a------- c:\program files\ACMonitor_X73.ini
2001-07-05 12:46 8,116 a------- c:\program files\OSLO3071b2.USB
2001-05-11 11:39 53,248 a------- c:\program files\ACMonitor_X73.exe
2001-05-08 16:36 114,688 a------- c:\program files\lxarscan.dll
2001-04-23 14:22 1,437 a------- c:\program files\gtx73.ini
2001-02-22 09:54 768 a------- c:\program files\x73_lut.dat

============= FINISH: 20:57:40.42 ===============

-------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:45 PM, on 2/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Search Everything\Everything.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: {d78c74bb-a26a-51ab-8314-b57e5aad5fd1} - {1df5daa5-e75b-4138-ba15-a62abb47c87d} - C:\WINDOWS\system32\kpgtbl.dll
O2 - BHO: (no name) - {235B90D6-CB93-40A6-8F1A-AF422ADA9637} - C:\WINDOWS\system32\ddcCUopQ.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {61AED1AC-D84D-4C09-8583-9405341551A3} - C:\WINDOWS\system32\pmnmkhFw.dll (file missing)
O4 - HKLM\..\Run: [b8a08acc] rundll32.exe "C:\WINDOWS\system32\rlbaeoqs.dll",b
O4 - HKLM\..\Run: [BMbb93b950] Rundll32.exe "C:\WINDOWS\system32\byicpxym.dll",s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Search Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234061003125
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BDA4254-388D-4EEE-9C0A-5CC47C2EDF5A}: NameServer = 208.67.222.222,208.67.220.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: kpgtbl.dll,avgrsstx.dll
O20 - Winlogon Notify: ddcCUopQ - ddcCUopQ.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JClerk/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 4884 bytes
-----------------------------------------------------------------------------------------------------------

Edited by TechPerson, 08 February 2009 - 12:18 AM.


BC AdBot (Login to Remove)

 


#2 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:03:00 AM

Posted 19 February 2009 - 06:20 PM

Hi TechPerson ,

Welcome back to the BleepingComputer forums.

We apologize for the delay in responding to your request for assistance. Every one of our team members is a volunteer and unfortunately, there are often just not enough to keep up with demand. Thank you so much for your patience.

If your issue has been resolved or you have received help elsewhere, please post a reply here and let us know so that we can close this thread.

If you still need assistance, my name is SpotCheckBilly (SCB for short) and I will be happy to help you.

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================


A few things which will make our fix go more smoothly.
  • Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.
  • Please DO NOT install any software while we are working.
  • Please Do not skip any steps. With some infections skipping a step can be disastrous.
  • If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it.
  • If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
  • Remove any cracked/pirated software. I will immediately stop helping you if I discover any.
The most important thing to remember is to be patient. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. :thumbup2:

I look forward to your reply. -- SCB
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users