Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Okay, i've been through a lot to get this stupid virus off my computer. Unfortunately nothing that i've tried has worked.
I have tried the tool from symantec - doesnt find it.
I have tried the regular norton av scan - finds it but does not remove it.
i have tried ad-aware, vundo fix, spy sweeper... i tried going to the command prompt and renaming/deleting the file (as was suggested by a post back in 2005) but i could not do anything to the file as it was 'in use'.
i am willing to try anything here. i am not experienced with this sort of thing, so if you would suggest doing any of the above again with your guidance, i would be happy to.
Please advise me!
thanks!
Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0 
hey there.
first off - remove norton. it's simply unreliable and it just consumes your resources. what you gotta do is this.
http://www.2-viruses.com/remove-tro...
follow the instructions and remove all the related processes and registry entries MANUALLY.
then get AVG here
http://free.grisoft.com/doc/downloa...
and check how you're doing. it all should be ok. good luck.
0
Thank you for your quick responses. Here is my HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33, on 2007-11-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network supportRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\yrjqtxgf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\nircmd.cfexeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srch...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htepo.com/cehpmoin/?cmp=hmr&...
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xvbyluby.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [b867f734] rundll32.exe "C:\WINDOWS\system32\puwvkhnk.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\yrjqtxgf.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishAct...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.c...
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\yrjqtxgf.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--
End of file - 7421 bytes
0
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
i'm sorry,
i downloaded installed and ran combofix, but when its finished, the computer reboots and there is no log file to be found.the only text document in the whole combofix folder contains this
ComboFix 07-11-07.c - administrator 2007-11-06 20:08:38.2 ntfsx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.1.8.357 [GMT -10:00] Running from: c:\documents and settings\administrator\desktop\combofix.exe.
i apologize for my computer ignorance, but maybe i messed up - i ran combofix and hijackthis in safe mode and logged in as administrator. but when combofix reboots it does so regular mode not as administrator.
could this be the problem? please help me out this is supremely frustrating.
much appreciation!
Marc
0
also i dont know why this is showing my email as marc vasquez 1991, but that is not at all even close to my name or email...
0
Ad-Watch in Ad-Aware 2007 may be causing the problem.
Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.
Run Combofix again, usually take 5 to 10 minutes to finish, then the log is posted.
0
okay here we go!
ComboFix 07-11-07.3 - Marc 2007-11-07 16:58:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -10:00]
.
/wow section not completed((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Marc\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Marc\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Marc\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\xvbyluby.dllbox
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Marc\Application Data\TSKS~1
C:\Documents and Settings\Marc\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Marc\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Marc\Favorites\Online Security Guide.lnk
C:\Program Files\inetget2
C:\Program Files\Temporary
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\enpfjrpn.dll
C:\WINDOWS\system32\gniqleby.dll
C:\WINDOWS\system32\jleoqjoi.dll
C:\WINDOWS\system32\kbhcovhj.dll
C:\WINDOWS\system32\kgqeeojp.dll
C:\WINDOWS\system32\knhkvwup.ini
C:\WINDOWS\system32\krsiekfv.dll
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\ousqtkta.dllbox
C:\WINDOWS\system32\puwvkhnk.dll
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.tmp
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\xvbyluby.dllbox
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winshow.exe.
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
-------\Network Monitor
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.2007-11-07 08:09 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-06 18:37 81,472 --a------ C:\WINDOWS\system32\goqxnnhy.dll
2007-11-06 18:34 87,104 --a------ C:\WINDOWS\system32\cbaqgaxs.dll
2007-11-06 18:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 18:25 71,232 --a------ C:\WINDOWS\system32\yrjqtxgf.exe
2007-11-06 18:23 145,984 --a------ C:\WINDOWS\system32\xvbyluby.dll
2007-11-06 18:22 145,984 --a------ C:\WINDOWS\system32\odafhekw.dll
2007-10-29 17:38 589 --a------ C:\WINDOWS\system32\klqwvefn.dll
2007-10-28 09:25 589 --a------ C:\WINDOWS\system32\vpcmlocw.dll
2007-10-27 13:30 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Kerio
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-24 21:21 <DIR> d-------- C:\VundoFix Backups
2007-10-23 18:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 18:17 <DIR> d--hs---- C:\WINDOWS\TWFyYw
2007-10-23 17:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-23 17:48 <DIR> d-------- C:\Program Files\Your Company Name
2007-10-23 17:48 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-23 17:48 <DIR> d-------- C:\Program Files\Java
2007-10-23 17:47 <DIR> d-------- C:\Team17
2007-10-23 17:47 <DIR> d-------- C:\Program Files\Firefly Studios
2007-10-23 17:47 <DIR> d-------- C:\Program Files\Bots
2007-10-23 17:47 <DIR> d-------- C:\HULK
2007-10-23 17:47 <DIR> d-------- C:\games
2007-10-23 17:43 <DIR> d-------- C:\WINDOWS\LastGood(2)
2007-10-22 15:52 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Netscape
2007-10-22 15:51 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 10:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 06:45 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 00:06 10,497 ----a-w C:\WINDOWS\system32\drivers\kwflower.log
2007-10-28 00:05 2,965 ----a-w C:\WINDOWS\system32\drivers\kwfupper.log
2007-10-04 03:01 --------- d-----w C:\Program Files\Picasa2
2007-08-22 12:55 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2005-07-30 02:24:26 472 --sha-r C:\WINDOWS\TWFyYw\nqIVsT.vbs
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264CF0A6-205F-9792-7707-4A66A092B2CD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{566D5654-F286-AF49-F666-5B4CAB763C2D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A95735-B4D5-D1A2-41A1-FCC2CAC8DC7E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A8FA81A-5DB1-391E-A47A-E2064E5B330E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-06 18:23 145984 --a------ C:\WINDOWS\system32\xvbyluby.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDAA6D59-0456-B376-E44C-8E88F249A970}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFDEA8B1-FC82-43F0-1F9C-98BC7CB6EFF1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E565738F-00B5-BD54-344E-CE29CDEF3F6F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5E4032F-B58E-1B79-B01F-22DB28518DF7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\xvbyluby.dll [2007-11-06 18:23 145984][HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 10:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 10:02]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 09:59]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 15:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 11:34]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 20:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 11:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 11:50]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 01:59]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 11:48]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.exe" [2005-07-19 15:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-17 09:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 12:48]
"b867f734"="C:\WINDOWS\system32\cbaqgaxs.dll" [2007-11-06 18:34][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 01:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-23 14:54:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [1999-02-17 10:05:56][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 11:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xvbyluby]
xvbyluby.dll 2007-11-06 18:23 145984 C:\WINDOWS\system32\xvbyluby.dllS3 adxapie;adxapie;\??\C:\DOCUME~1\Marc\LOCALS~1\Temp\adxapie.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;C:\WINDOWS\system32\DRIVERS\kwflower.sys.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 03:00:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-22 01:07:40 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 17:00:29
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\WindowsUpdate.log:osfyyc 66048 bytes executable
C:\WINDOWS\IE4 Error Log.txt:vdvhxq 66048 bytes executable
C:\WINDOWS\ntdtcsetup.log:hjqcjc 66048 bytes executable
C:\WINDOWS\KB888113.log:bmpipw 66048 bytes executable
C:\WINDOWS\KB896688.log:zfeawg 66048 bytes executablescan completed successfully
hidden files: 5**************************************************************************
.
Completion time: 2007-11-07 17:02:33 - machine was rebooted
.
--- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Marc\Application Data\TSKS~1
C:\Documents and Settings\Marc\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Marc\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Marc\Favorites\Online Security Guide.lnk
C:\Program Files\inetget2
C:\Program Files\Temporary
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\enpfjrpn.dll
C:\WINDOWS\system32\gniqleby.dll
C:\WINDOWS\system32\jleoqjoi.dll
C:\WINDOWS\system32\kbhcovhj.dll
C:\WINDOWS\system32\kgqeeojp.dll
C:\WINDOWS\system32\knhkvwup.ini
C:\WINDOWS\system32\krsiekfv.dll
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\ousqtkta.dllbox
C:\WINDOWS\system32\puwvkhnk.dll
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.tmp
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\xvbyluby.dllbox
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\goqxnnhy.dll
C:\WINDOWS\system32\cbaqgaxs.dll
C:\WINDOWS\system32\yrjqtxgf.exe
C:\WINDOWS\system32\xvbyluby.dll
C:\WINDOWS\system32\odafhekw.dll
C:\WINDOWS\system32\klqwvefn.dll
C:\WINDOWS\system32\vpcmlocw.dll
C:\WINDOWS\TWFyYw\nqIVsT.vbsFolder::
C:\WINDOWS\TWFyYwRegistry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264CF0A6-205F-9792-7707-4A66A092B2CD}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{566D5654-F286-AF49-F666-5B4CAB763C2D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A95735-B4D5-D1A2-41A1-FCC2CAC8DC7E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A8FA81A-5DB1-391E-A47A-E2064E5B330E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDAA6D59-0456-B376-E44C-8E88F249A970}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFDEA8B1-FC82-43F0-1F9C-98BC7CB6EFF1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E565738F-00B5-BD54-344E-CE29CDEF3F6F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5E4032F-B58E-1B79-B01F-22DB28518DF7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xvbyluby]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Hijack This log and a new Combofix log please.
0
ComboFix 07-11-07.3 - Marc 2007-11-08 16:25:27.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marc\Desktop\CFScript.txt
* Created a new restore pointFILE
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Marc\Application Data\TSKS~1
C:\Documents and Settings\Marc\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Marc\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Marc\Favorites\Online Security Guide.lnk
C:\Program Files\inetget2
C:\Program Files\Temporary
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbaqgaxs.dll
C:\WINDOWS\system32\enpfjrpn.dll
C:\WINDOWS\system32\gniqleby.dll
C:\WINDOWS\system32\goqxnnhy.dll
C:\WINDOWS\system32\jleoqjoi.dll
C:\WINDOWS\system32\kbhcovhj.dll
C:\WINDOWS\system32\kgqeeojp.dll
C:\WINDOWS\system32\klqwvefn.dll
C:\WINDOWS\system32\knhkvwup.ini
C:\WINDOWS\system32\krsiekfv.dll
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\odafhekw.dll
C:\WINDOWS\system32\ousqtkta.dllbox
C:\WINDOWS\system32\puwvkhnk.dll
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.tmp
C:\WINDOWS\system32\vpcmlocw.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\xvbyluby.dll
C:\WINDOWS\system32\xvbyluby.dllbox
C:\WINDOWS\system32\yrjqtxgf.exe
C:\WINDOWS\TWFyYw\nqIVsT.vbs
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\winshow.exe
.Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\system32\cbaqgaxs.dll
C:\WINDOWS\system32\goqxnnhy.dll
C:\WINDOWS\system32\klqwvefn.dll
C:\WINDOWS\system32\odafhekw.dll
C:\WINDOWS\system32\vpcmlocw.dll
C:\WINDOWS\system32\xvbyluby.dll
C:\WINDOWS\system32\xvbyluby.dllbox
C:\WINDOWS\system32\yrjqtxgf.exe
C:\WINDOWS\TWFyYw
C:\WINDOWS\TWFyYw\nqIVsT.vbs.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.2007-11-07 08:09 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-06 18:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 13:30 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Kerio
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-24 22:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-24 21:21 <DIR> d-------- C:\VundoFix Backups
2007-10-23 18:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 17:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-23 17:48 <DIR> d-------- C:\Program Files\Your Company Name
2007-10-23 17:48 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-23 17:48 <DIR> d-------- C:\Program Files\Java
2007-10-23 17:47 <DIR> d-------- C:\Team17
2007-10-23 17:47 <DIR> d-------- C:\Program Files\Firefly Studios
2007-10-23 17:47 <DIR> d-------- C:\Program Files\Bots
2007-10-23 17:47 <DIR> d-------- C:\HULK
2007-10-23 17:47 <DIR> d-------- C:\games
2007-10-23 17:43 <DIR> d-------- C:\WINDOWS\LastGood(2)
2007-10-22 15:52 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Netscape
2007-10-22 15:51 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 10:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 06:45 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 00:06 10,497 ----a-w C:\WINDOWS\system32\drivers\kwflower.log
2007-10-28 00:05 2,965 ----a-w C:\WINDOWS\system32\drivers\kwfupper.log
2007-10-04 03:01 --------- d-----w C:\Program Files\Picasa2
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 10:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 10:02]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 09:59]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 15:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 11:34]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 20:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 11:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 11:50]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 01:59]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 11:48]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.exe" [2005-07-19 15:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-17 09:52]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 12:48]
"b867f734"="C:\WINDOWS\system32\cbaqgaxs.dll" [][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 01:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-23 14:54:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.exe [1999-02-17 10:05:56][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 11:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dllS3 adxapie;adxapie;\??\C:\DOCUME~1\Marc\LOCALS~1\Temp\adxapie.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;C:\WINDOWS\system32\DRIVERS\kwflower.sys.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 02:31:04 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-22 01:07:40 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 16:31:32
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\WindowsUpdate.log:osfyyc 66048 bytes executable
C:\WINDOWS\IE4 Error Log.txt:vdvhxq 66048 bytes executable
C:\WINDOWS\ntdtcsetup.log:hjqcjc 66048 bytes executable
C:\WINDOWS\KB888113.log:bmpipw 66048 bytes executable
C:\WINDOWS\KB896688.log:zfeawg 66048 bytes executablescan completed successfully
hidden files: 5**************************************************************************
.
Completion time: 2007-11-08 16:32:43 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 17:02
.
--- E O F ---
0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:55 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [b867f734] rundll32.exe "C:\WINDOWS\system32\cbaqgaxs.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe (User 'Default user')
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishAct...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.c...
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--
End of file - 7611 bytes
Marc
0
oh, now when i start up i get an error message that reads:
error loading C:\WINDOWS\system32\cbaqgaxs.dll
specified module can not be found.
is that going to be a problem?
thanks once again for your attention and help.
Marc
0
Run Hijack Thgis ,close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [b867f734] rundll32.exe "C:\WINDOWS\system32\cbaqgaxs.dll",b
Exit Hijack This.
Let us know how the computer is operating.
0
so far so good. the system is operating smooth like butter.
are we finished? that was fantastic.
many many thank yous! can i bake you brownies or something?
Marc
0
one more question for the experts -
i was wondering about this posting that koalageorge left me.
"hey there.
first off - remove norton. it's simply unreliable and it just consumes your resources. what you gotta do is this.
http://www.2-viruses.com/remove-tro...
follow the instructions and remove all the related processes and registry entries MANUALLY.
then get AVG here
http://free.grisoft.com/doc/downloa...
and check how you're doing. it all should be ok. good luck."does it make sense to get rid of Norton AV? i mean, obviously it didnt help me with this trojan at all... but my worry is that if i remove it completely i will unleash the 30 something viruses that i have stored in quarantine. is that a valid concern? and does the recommended AVG really work better and take up fewer resources?
thanks once again
Marc
0
I use AVG and it does use less resources. If you payed for Nortons I would at least run the subscription out before installing AVG.
You can delete the Quarantined items in Nortons and delete this folder "C:\VundoFix Backups". Also you can remove any of the tools we used to clean the computer.
Be sure to turn back on any realtime protection that you may have turned off.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeEmpty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
0
okay, done.
since i'm using firefox, should i also use atf-cleaner to clear up firefox files?
downloading spywareblaster now.
Marc
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
