View Full Version : Please help. Smitfraud.c toolbar888 and have had many others
Hi,
I have tried the preliminary steps with limited results.
First off, I cannot boot in safe mode, I can boot in safe mode with networking.(iffy at best, must repeat hitting the enter key to make it go)
Also, I am unable to access my system folder to disable the restore function.
Missing rundll32.exe or something like that.
I have spent two days on this and at my wits end.
Just some of the items that have poped up using Spybot(most recemt updates), CA Pest Patrol, CA Etrust Anti-virus , CA Etrust anti-spyware,
combofix,hijackthis:
Smitfraud-c
Smitfraud-c tollbar888
IMLSERVER
ISEARCH
YAZZLESODUKU
SVCHOSTS.EXE
UPDATE.EXE
?EXPLORE.EXE
PURITY SCAN
SEARCHTOOLBARCORP TOOLBAR VISION
and many others.... :-(
Currently, while researching all of this on the web, I am redirected to different webpages. One in particular wants me to purchase anti-virus software(PC Protection Center or something like that)
Here is my current hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 8:25:05 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\windows\system32\poameybn.dll
O2 - BHO: (no name) - {9A329020-DB22-40E5-9C67-265865AD5081} - C:\windows\system32\pmkjh.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\windows\system32\rqrpppp.dll
O2 - BHO: (no name) - {F3458838-4CA0-6753-A6EE-1744E0831BE5} - C:\windows\system32\aepmokqy.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012207 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\windows\system32\guyqckff.dll",setvm
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://www.ncesc.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: awtst - C:\windows\system32\awtst.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjh - C:\windows\system32\pmkjh.dll
O20 - Winlogon Notify: rqrpppp - C:\windows\SYSTEM32\rqrpppp.dll
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Thank you.
Angelfire777
2007-01-21, 02:52
Hi, welcome to Safer Networking Forums!
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
I clicked on your link and got this:
You are not authorized to view this page
This has been happening a lot.
Also, was re-directed to a gambling site.
Angelfire777
2007-01-21, 08:41
Are you the administrator of your machine? If not, it could be that your system administrator is preventing you from accessing certain sites...
If you are the administrator of your machine, I want you to try this:
Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot – Search & Destroy after doing this.
After doing that, please try to run VundoFix again..
Hi,
I was able to email vundofix from my laptop to my infected desktop
and I am running it now.
Yes, I have admin rights.
I will post the logs from Vundofix and HJT and await your reply before proceeding.
Thank You
Hi,
Here are the requested logs.
Thnak You.
Logfile of HijackThis v1.99.1
Scan saved at 10:17:17 AM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\windows\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65570AE6-E5DC-437C-83A5-009BDE91B772} - C:\windows\system32\pmkjh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\windows\system32\poameybn.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\windows\system32\rqrpppp.dll (file missing)
O2 - BHO: (no name) - {F3458838-4CA0-6753-A6EE-1744E0831BE5} - C:\windows\system32\aepmokqy.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012207 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://www.ncesc.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: awtst - C:\windows\system32\awtst.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjh - C:\windows\system32\pmkjh.dll
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 10:31:48 PM 1/20/2007
Listing files found while scanning....
C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\hggebay.dll
C:\windows\system32\pmkjh.dll
C:\windows\SYSTEM32\pmnligd.dll
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\urqrsts.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\awekewmx.exe Has been deleted!
Attempting to delete C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\ffkcqyug.ini Has been deleted!
Attempting to delete C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\guyqckff.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\hggebay.dll
C:\windows\SYSTEM32\hggebay.dll Has been deleted!
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\pmnligd.dll
C:\windows\SYSTEM32\pmnligd.dll Has been deleted!
Attempting to delete C:\windows\system32\poameybn.dll
C:\windows\system32\poameybn.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\qomjihi.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\urqrsts.dll
C:\windows\SYSTEM32\urqrsts.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 11:21:37 PM 1/20/2007
Listing files found while scanning....
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 8:43:26 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 9:30:15 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Angelfire777
2007-01-22, 13:25
*Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Do not use it yet!
*Run VundoFix
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
Copy&Paste the 6 entries below into the top 6 boxes.
C:\windows\system32\pmkjh.dll
C:\windows\system32\hjkmp.*
C:\windows\system32\aepmokqy.dll
C:\windows\system32\yqkompea.*
C:\windows\system32\poameybn.dll
C:\windows\system32\nbyemaop.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {65570AE6-E5DC-437C-83A5-009BDE91B772} - C:\windows\system32\pmkjh.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\windows\system32\poameybn.dll (file missing)
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\windows\system32\rqrpppp.dll (file missing)
O2 - BHO: (no name) - {F3458838-4CA0-6753-A6EE-1744E0831BE5} - C:\windows\system32\aepmokqy.dll
O20 - Winlogon Notify: awtst - C:\windows\system32\awtst.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\windows\system32\pmkjh.dll
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
Did you add the following entry to your trusted zone list? If not, fix them too:
O15 - Trusted Zone: http://www.ncesc.com
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
_________________________________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these files:
C:\windows\SYSTEM32\wingfo32.dll
Empty your recycle bin.
______________________________________
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer to normal mode!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply
*Click HERE (http://www.spywareinfo.com/~merijn/files/windows/rundll32_xp.zip) to download rundll32.exe..
Download it to your desktop then unzip all the contents to this folder: C:\Windows\System32
That will fix your system restore issue but DO NOT disable it until I tell you so. It is better to have an infected System Restore than nothing at all.
On your next reply, please include a fresh HijackThis log, CUREiT log, vundofix log and a description on how your machine is running,
It seems I have more to do.
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
Also was wondering about this:
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
In you instructions you stated to place a check mark next to:
O20 - Winlogon Notify: pmkjh - C:\windows\system32\pmkjh.dll
But this was not present. Just to let you know.
I placed the trusted zone in zonealarm.
Thank you
B0SC0
Here are the logs you requested:
Logfile of HijackThis v1.99.1
Scan saved at 5:02:47 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020607 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://www.ncesc.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
CureIT log:
DVD.Region.Free.v.3.21.WinALL.incl.patch-EiTheL.exe;C:\Program Files\DVD Region-Free;Tool.ASEye.2;Incurable.Moved.;
NPMyWay.dll;C:\Program Files\Netscape\Communicator\Program\Plugins;Adware.MyWay;Incurable.Moved.;
A0220001.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1201;BackDoor.Pigeon.669;Deleted.;
A0220002.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1201;BackDoor.Pigeon.688;Deleted.;
A0220016.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1201;Trojan.Mezzia;Deleted.;
A0220065.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202;BackDoor.Pigeon.669;Deleted.;
A0220067.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202;BackDoor.Pigeon.688;Deleted.;
A0220105.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1203;BackDoor.Pigeon.669;Deleted.;
A0220147.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1204;BackDoor.Pigeon.669;Deleted.;
A0220149.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1204;BackDoor.Pigeon.688;Deleted.;
A0220178.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1205;BackDoor.Pigeon.669;Deleted.;
A0220206.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1206;BackDoor.Pigeon.669;Deleted.;
A0220234.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1207;BackDoor.Pigeon.669;Deleted.;
A0220246.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1207;BackDoor.Pigeon.669;Deleted.;
A0220248.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1207;BackDoor.Pigeon.688;Deleted.;
A0220264.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1207;BackDoor.Pigeon.669;Deleted.;
A0220311.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208;BackDoor.Pigeon.669;Deleted.;
A0220313.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208;BackDoor.Pigeon.688;Deleted.;
A0220346.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1209;BackDoor.Pigeon.669;Deleted.;
A0220398.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1210;BackDoor.Pigeon.669;Deleted.;
A0220428.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1210;BackDoor.Pigeon.669;Deleted.;
A0220439.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1210;BackDoor.Pigeon.669;Deleted.;
A0220442.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1210;BackDoor.Pigeon.688;Deleted.;
A0220524.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1211;BackDoor.Pigeon.669;Deleted.;
A0220535.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1211;BackDoor.Pigeon.669;Deleted.;
A0220598.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1212;BackDoor.Pigeon.669;Deleted.;
A0220660.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1213;BackDoor.Pigeon.669;Deleted.;
A0220701.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1213;BackDoor.Pigeon.669;Deleted.;
A0220703.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1213;BackDoor.Pigeon.688;Deleted.;
A0220716.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1215;BackDoor.Pigeon.669;Deleted.;
A0220718.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1215;BackDoor.Pigeon.688;Deleted.;
A0220762.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1216;BackDoor.Pigeon.669;Deleted.;
A0221724.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1226;BackDoor.Pigeon.669;Deleted.;
A0221726.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1226;BackDoor.Pigeon.688;Deleted.;
A0221743.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1226;BackDoor.Pigeon.669;Deleted.;
A0221769.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1227;BackDoor.Pigeon.669;Deleted.;
A0221772.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1227;BackDoor.Pigeon.688;Deleted.;
A0221785.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1227;BackDoor.Pigeon.669;Deleted.;
A0221787.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1227;BackDoor.Pigeon.688;Deleted.;
A0221874.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;BackDoor.Pigeon.669;Deleted.;
A0221894.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;BackDoor.Pigeon.669;Deleted.;
A0221896.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;BackDoor.Pigeon.688;Deleted.;
A0221905.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;BackDoor.Pigeon.669;Deleted.;
A0221920.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;BackDoor.Pigeon.669;Deleted.;
A0221937.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Pigeon.669;Deleted.;
A0221939.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Pigeon.688;Deleted.;
A0221960.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1232;BackDoor.Pigeon.669;Deleted.;
A0221962.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1232;BackDoor.Pigeon.688;Deleted.;
A0221999.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1233;BackDoor.Pigeon.669;Deleted.;
A0223000.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1233;BackDoor.Pigeon.669;Deleted.;
A0223037.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1235;BackDoor.Pigeon.669;Deleted.;
A0224313.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1237;BackDoor.Pigeon.669;Deleted.;
A0224329.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1237;BackDoor.Pigeon.669;Deleted.;
A0227399.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1248;Trojan.DownLoader.17040;Deleted.;
A0227400.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1248;Trojan.DownLoader.17039;Deleted.;
A0227936.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1251;Trojan.DownLoader.17040;Deleted.;
A0227937.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1251;Trojan.DownLoader.17039;Deleted.;
A0228640.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1253;Trojan.DownLoader.17040;Deleted.;
A0228641.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1253;Trojan.DownLoader.17039;Deleted.;
A0229943.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1260;Adware.Macfa;Incurable.Moved.;
A0230092.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1261;Trojan.DownLoader.17040;Deleted.;
A0230093.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1261;Trojan.DownLoader.17039;Deleted.;
A0232153.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1263;Trojan.DownLoader.17040;Deleted.;
A0232195.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1263;Trojan.DownLoader.17040;Deleted.;
A0232273.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Macfa;Incurable.Moved.;
A0232294.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.PurityAd;Deleted.;
A0232316.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.ClickSpring;Incurable.Moved.;
A0232354.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Macfa;Incurable.Moved.;
A0232367.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.Fakealert;Deleted.;
A0232377.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Macfa;Incurable.Moved.;
A0232401.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.DownLoader.17040;Deleted.;
A0232403.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.DownLoader.17040;Deleted.;
A0232406.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.ClickSpring;Incurable.Moved.;
A0232407.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.PurityAd;Deleted.;
A0232444.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.Proxy.493;Deleted.;
A0232445.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.Proxy.493;Deleted.;
A0232449.exe\data001;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264\A0232449.exe;Adware.ClickSpring;;
A0232449.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Archive contains infected objects;Moved.;
A0232452.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Maxifiles;Incurable.Moved.;
A0232453.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Maxifiles;Incurable.Moved.;
A0232455.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Adware.Macfa;Incurable.Moved.;
A0232459.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1264;Trojan.DownLoader.17040;Deleted.;
aepmokqy.dll.bad;C:\VundoFix Backups;Adware.ClickSpring;Incurable.Moved.;
awekewmx.exe.bad;C:\VundoFix Backups;Adware.TopSearch;Incurable.Moved.;
guyqckff.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hggebay.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmkjh.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmnligd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
poameybn.dll.bad;C:\VundoFix Backups;Trojan.Juan;Deleted.;
qomjihi.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rqrpppp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
urqrsts.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
cfffjtsl.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod;Deleted.;
Vundofix log:
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 10:31:48 PM 1/20/2007
Listing files found while scanning....
C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\hggebay.dll
C:\windows\system32\pmkjh.dll
C:\windows\SYSTEM32\pmnligd.dll
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\urqrsts.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\awekewmx.exe Has been deleted!
Attempting to delete C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\ffkcqyug.ini Has been deleted!
Attempting to delete C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\guyqckff.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\hggebay.dll
C:\windows\SYSTEM32\hggebay.dll Has been deleted!
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\pmnligd.dll
C:\windows\SYSTEM32\pmnligd.dll Has been deleted!
Attempting to delete C:\windows\system32\poameybn.dll
C:\windows\system32\poameybn.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\qomjihi.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\urqrsts.dll
C:\windows\SYSTEM32\urqrsts.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 11:21:37 PM 1/20/2007
Listing files found while scanning....
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 8:43:26 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 9:30:15 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 11:13:25 AM 1/22/2007
Listing files found while scanning....
C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.tmp
C:\windows\system32\pmkjh.dll
C:\windows\system32\poameybn.dll
Beginning removal...
Attempting to delete C:\windows\system32\aepmokqy.dll
C:\windows\system32\aepmokqy.dll Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.ini2 Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.tmp
C:\windows\system32\hjkmp.tmp Has been deleted!
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Has been deleted!
Performing Repairs to the registry.
Done!
Performance has improved. I am no longer being directed to other sites.
However, I have had my firewall locked down until now.
B0SC0
Angelfire777
2007-01-23, 10:46
It seems I have more to do.
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
looks like that one is stubborn :)
Also was wondering about this:
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
That file is Intel(R) integrated graphics controller. It is legit.
Did you run Vundofix again like I instructed you? The logfile you posted is an old one..
In you instructions you stated to place a check mark next to:
O20 - Winlogon Notify: pmkjh - C:\windows\system32\pmkjh.dll
But this was not present. Just to let you know.
That's ok.
From the CureIT log:
DVD.Region.Free.v.3.21.WinALL.incl.patch-EiTheL.exe;C:\Program Files\DVD Region-Free;Tool.ASEye.2;Incurable.Moved.;
I strongly discourage you from using "cracks"..Using those is an easy way to get your computer infected..
However, I have had my firewall locked down until now.
Can you please explain that a bit more?
_____________________________
*Using Windows Explorer, navigate to this folder:
C:\Documents and Settings\Mario\DoctorWeb\quarantine
then delete all the contents of that folder.
Empty your Recycle bin.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O20 - Winlogon Notify: wingfo32 - C:\windows\SYSTEM32\wingfo32.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Download Killbox (http://www.bleepingcomputer.com/files/killbox.php)
Open Killbox.exe
Check the following boxes:
Delete on Reboot
Highlight all the entries in the quote box below and the Copy them.
C:\windows\SYSTEM32\wingfo32.dll
Then in Killbox, click File>>Paste from Clipboard
Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? You will need to click Yes to allow the reboot.
*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
Reboot then post a fresh HijackThis log.
Hi,AF777,
Yes, I did run vundofix like you said. If you read the file you will notice that it was appended to 4 times. The last part 1/22/07 was the one you wanted to read.:)
Here it is again:
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 10:31:48 PM 1/20/2007
Listing files found while scanning....
C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\hggebay.dll
C:\windows\system32\pmkjh.dll
C:\windows\SYSTEM32\pmnligd.dll
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\urqrsts.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\awekewmx.exe
C:\windows\SYSTEM32\awekewmx.exe Has been deleted!
Attempting to delete C:\windows\SYSTEM32\ffkcqyug.ini
C:\windows\SYSTEM32\ffkcqyug.ini Has been deleted!
Attempting to delete C:\windows\SYSTEM32\guyqckff.dll
C:\windows\SYSTEM32\guyqckff.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\hggebay.dll
C:\windows\SYSTEM32\hggebay.dll Has been deleted!
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\pmnligd.dll
C:\windows\SYSTEM32\pmnligd.dll Has been deleted!
Attempting to delete C:\windows\system32\poameybn.dll
C:\windows\system32\poameybn.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\qomjihi.dll
C:\windows\SYSTEM32\qomjihi.dll Has been deleted!
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Attempting to delete C:\windows\SYSTEM32\urqrsts.dll
C:\windows\SYSTEM32\urqrsts.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 11:21:37 PM 1/20/2007
Listing files found while scanning....
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 8:43:26 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
Scan started at 9:30:15 AM 1/21/2007
Listing files found while scanning....
C:\windows\system32\poameybn.dll
C:\windows\SYSTEM32\rqrpppp.dll
Beginning removal...
Attempting to delete C:\windows\SYSTEM32\rqrpppp.dll
C:\windows\SYSTEM32\rqrpppp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.2
Checking Java version...
Java version is 1.4.2.4
>>>>>>>>>>>>>>>>>>>>>Scan started at 11:13:25 AM 1/22/2007
Listing files found while scanning....
C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.tmp
C:\windows\system32\pmkjh.dll
C:\windows\system32\poameybn.dll
Beginning removal...
Attempting to delete C:\windows\system32\aepmokqy.dll
C:\windows\system32\aepmokqy.dll Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.ini2 Has been deleted!
Attempting to delete C:\windows\system32\hjkmp.tmp
C:\windows\system32\hjkmp.tmp Has been deleted!
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\pmkjh.dll
C:\windows\system32\pmkjh.dll Has been deleted!
Performing Repairs to the registry.
Done!
When I said that I had the "firewall locked down" I was talking about Zonealarm's firewall. I had it in the lock mode to prevent any traffic passing thru until I was ready to use the internet. I read elsewhere when performing these clean-ups, try not to use the internet to much. So, I kept access to the internet to a minimum. There was two ip address's that were trying to connect to the internet and send data.(89.188.16.18, 63.251.135.15).
These are no longer showing up in Zonealarm.
Ran hjt and followed your instructions.
Ran killbox.exe and I had to type in "C:\windows\SYSTEM32\wingfo32.dll" instead of copy and paste,as you said
However, I kept getting the message "Pending file name operation registry data has been removedby external process."
Discovered if I went to the browse folder in killbox, find the file that way, it would run properly and reboot.
Note**(I am operating with 2 PC's. I am not able to download files from the internet form the infected desktop PC. So I download from my laptop and email the cleaning programs to my infected desktop.Then get those files from my email account and run them).
Installed JRE 6.0, but had to email the startup online file to my infected desktop pc.
The reason is that I am still getting "You are not authorized to view this page"
when I attempt to download a file.
Here is the most recent HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:30:09 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020607 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://www.ncesc.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
We're almost there.......
Thank you
B0SC0
Angelfire777
2007-01-25, 11:30
Hi
The reason is that I am still getting "You are not authorized to view this page"
I'm not a Zonealarm user but are you sure Zonealarm is no longer in lockdown?
If you haven't tried this in my previous post, try to do this:
Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot – Search & Destroy after doing this.
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi,AF777,
Yes, I am sure when Zonealarm is locked or unlocked. If I lock it, a lock shows up in the system tray, if unlocked, it shows a small icon with ZA in it. If there is
internet activity, it shows a bar graph that changes with activity. If it wasn't for ZA, I would not have been privy to what was going on initially.
It alerted me that a program was trying to send out data over the internet to an Ip address which I discussed earlier.
There is a lot more to ZA, but I won't go into that here.
Here are your requested files.
By the way, where are you located? I see by the times you log in that you are probably across the pond from the US.
I truly appreciate your help and I HOPE you don't take this the wrong way, since you have been able to nail this problem from the get go.
I use this infected computer for my income. I am a freelancer and work form home.
I am trying to be patient with the process, but waiting 24 hrs for a response and then going 48 hrs for reponse is really dragging this out.
Would it not be more productive to hand this over to someone in the US?
I know you are a volunteer and I respect that. And I know this is a free service and I shouldn't whine ;-( ( If I am out of line, I apologize.)
I am starting to get desperate because I have some deadlines to meet and no other place to turn to for help.
Humbly yours, B0SC0
********************HJT log after running DelDomains.inf ( was able to download this from the infected computer,,strange,couldn't d/l before..?) : **********************
Logfile of HijackThis v1.99.1
Scan saved at 8:13:40 AM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020607 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
*************************Re-immunized with spybot sd (also detected Smitfraud.c toolbar888 and fixed)****************************
*************************Ran Combfix.exe, here is that log : ************************************************************
"MARIO" - 07-01-25 8:39:14 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\MARIO\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\MARIO
C:\qoobox\purity\DOCUME~1\MARIO\My Documents
C:\qoobox\purity\DOCUME~1\MARIO\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\MARIO\My Documents\WNSXS~1
C:\qoobox\purity\Program Files\Common Files\STEM~1
C:\qoobox\purity\Program Files\Common Files\STEM~1\??stem
C:\qoobox\purity\WINDOWS\MANTEC~1
C:\qoobox\purity\WINDOWS\MANTEC~1\?explore.exe
C:\qoobox\purity\WINDOWS\SYSTEM32\YMANTE~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))
2007-01-24 10:34 <DIR> d-------- C:\scroll1
2007-01-23 12:19 <DIR> d-------- C:\Program Files\Java
2007-01-23 12:19 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-23 10:15 <DIR> d-------- C:\!KillBox
2007-01-22 16:58 33,280 --a------ C:\WINDOWS\SYSTEM32\rundll32.exe
2007-01-22 12:53 <DIR> d-------- C:\DOCUME~1\MARIO\DoctorWeb
2007-01-20 22:31 <DIR> d-------- C:\VundoFix Backups
2007-01-19 22:32 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-19 20:53 <DIR> d--hs---- C:\WINDOWS\VklDVE9SIEJMQUNLQlVSTg
2007-01-19 20:20 2 --a------ C:\WINDOWS\SYSTEM32\wnsapisv.exe
2007-01-18 19:30 <DIR> d-------- C:\highjackthis
2007-01-17 13:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-01-17 13:35 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-01-14 15:03 210,944 --------- C:\WINDOWS\SYSTEM32\Msvcrt10.dll
2007-01-14 14:55 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-01-14 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\FLEXnet
2007-01-14 14:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-13 20:24 520,192 --------- C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-01-13 20:23 <DIR> d-------- C:\Program Files\ATI Technologies
2007-01-05 18:12 17,920 --a------ C:\WINDOWS\SYSTEM32\mdimon.dll
2007-01-05 18:09 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-05 18:09 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-12-27 18:34 93,696 --a------ C:\WINDOWS\SYSTEM32\hpgt42.dll
2006-12-27 18:34 87,040 --a------ C:\WINDOWS\SYSTEM32\wiafbdrv.dll
2006-12-27 18:34 32,768 --a------ C:\WINDOWS\SYSTEM32\hpgtmcro.dll
2006-12-27 18:34 31,232 --a------ C:\WINDOWS\SYSTEM32\hpgt42tk.dll
2006-12-26 15:24 <DIR> d-------- C:\Program Files\Microchip
2006-12-25 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2006-12-25 11:37 <DIR> d-------- C:\DOCUME~1\MARIO\Application Data\Petroglyph
2006-12-25 11:35 98,304 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2006-12-25 11:35 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2006-12-25 11:32 <DIR> d-------- C:\Program Files\LucasArts
2006-12-25 11:29 <DIR> d-------- C:\DOCUME~1\MARIO\Application Data\InstallShield
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-24 12:33 -------- d-------- C:\DOCUME~1\MARIO\Application Data\adobeum
2007-01-21 16:17 -------- d-------- C:\Program Files\dymo label
2007-01-17 21:17 -------- d-------- C:\Program Files\ca
2007-01-17 13:35 2560 --a------ C:\WINDOWS\_msrstrt.exe
2007-01-17 12:11 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-14 15:28 -------- d-------- C:\DOCUME~1\MARIO\Application Data\adobe
2007-01-13 20:32 -------- d-------- C:\DOCUME~1\MARIO\Application Data\ati
2007-01-13 17:19 -------- d-------- C:\DOCUME~1\MARIO\Application Data\solidworks
2007-01-13 16:23 -------- d---s---- C:\DOCUME~1\MARIO\Application Data\microsoft
2007-01-12 13:42 -------- d-------- C:\Program Files\dvd region-free
2007-01-12 13:34 -------- d-------- C:\Program Files\orcad_demo
2007-01-12 13:32 -------- d-------- C:\DOCUME~1\MARIO\Application Data\real
2007-01-12 13:28 -------- d-------- C:\Program Files\dlportio
2007-01-12 13:27 -------- d--h----- C:\Program Files\installshield installation information
2007-01-05 18:10 -------- d-------- C:\Program Files\microsoft activesync
2006-12-27 19:54 -------- d-------- C:\Program Files\cdburnerxp pro 3
2006-12-26 14:34 -------- d-------- C:\Program Files\wolfenstein - enemy territory
2006-12-26 14:30 -------- d-------- C:\Program Files\Common Files\solidworks data
2006-12-26 14:24 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2006-12-20 20:07 -------- d-------- C:\Program Files\sourceboost
2006-12-11 15:00 -------- d-------- C:\Program Files\doom 3
2006-12-11 14:14 223128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vaxscsi.sys
2006-12-11 14:14 -------- d-------- C:\Program Files\alcohol soft
2006-12-11 08:54 33952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\oreans32.sys
2006-12-09 17:39 1562112 -r-hs---- C:\WINDOWS\winnmsn.exe
2006-12-09 17:24 -------- d-------- C:\Program Files\cyberlink
2006-12-05 20:03 -------- d-------- C:\DOCUME~1\MARIO\Application Data\open watcom
2006-11-14 09:51 364544 --a------ C:\WINDOWS\SYSTEM32\mppathan.dll
2006-11-14 09:24 1753088 --a------ C:\WINDOWS\SYSTEM32\mpxerces-c_2_7.dll
2006-11-02 21:36 28620288 --------- C:\91pspstu.exe
2006-11-02 19:49 7289885 --------- C:\AthenaSetup.exe
2006-10-30 12:43 73728 --a------ C:\WINDOWS\SYSTEM32\mplbcomm.dll
2006-10-23 08:59 63736 --a------ C:\DOCUME~1\MARIO\Application Data\gdipfontcachev1.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\windows\\system32\\igfxtray.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HotKeysCmds"="C:\\windows\\system32\\hkcmd.exe"
"CorelDRAW Graphics Suite 11b"="C:\\Program Files\\Corel\\Corel Graphics 12\\Languages\\EN\\Programs\\Registration.exe /title=\"CorelDRAW Graphics Suite 12\" /date=020607 serial=DR12WEX-1504397-KTY lang=EN"
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust PestPatrol\\PPActiveDetection.exe\""
"NeroCheck"="C:\\windows\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f476cbba-11df-11da-8c4c-000bdbb543a5}]
Shell\AutoRun\command I:\AutoRun.exe "1, My Title, My Company"
Completion time: 07-01-25 8:43:56
C:\ComboFix2.txt ... 07-01-20 18:13
C:\ComboFix3.txt ... 07-01-20 16:51
***********************************2nd run of HJT...here is that log : *************************************
Logfile of HijackThis v1.99.1
Scan saved at 8:53:54 AM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\windows\system32\libusbd-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\MARIO\Desktop\hijackthis\AnalyzeThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARIO\Application Data\Mozilla\Profiles\default\a9i10q7l.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020607 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\windows\system32\libusbd-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Angelfire777
2007-01-26, 16:28
By the way, where are you located? I see by the times you log in that you are probably across the pond from the US.
I'm located at the Philippines (little island somewhere in southern asia)
I am trying to be patient with the process, but waiting 24 hrs for a response and then going 48 hrs for reponse is really dragging this out.
I took a look at each time I have posted..I am posting within 24 hrs..I can only post at night here because I have my own life, I am only a volunteer here as you have known already..I really suggest that you stick with me on this and please be patient as I'm doing my best to always post within 24 hrs
Would it not be more productive to hand this over to someone in the US?
Helpers here on the forum come from different parts of the world, we don't know specific details about each helper (ie where they are located etc..) and they have their own lives too..Delays will sometimes be expected BUT replying within a day is really good enough..I'll try to find someone if you would really insist..
===================================
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these folders
C:\WINDOWS\VklDVE9SIEJMQUNLQlVSTg
*Delete the following files:
C:\Program Files\Common Files\svchost.exe IMPORTANT: There is a legitimate svchost.exe found inside this folder: C:\Windows\System32 . Please be careful in deleting that file.
C:\WINDOWS\SYSTEM32\wnsapisv.exe
Do you recognize the following file? If not, locate the file and right click on it, select properties, and look for the vendor name, or anything that would indicate the program with which it may be associated. If you still do not recognize it, nor does it appear to be associated with a known valid program, delete it...
C:\91pspstu.exe
Empty your recycle bin.
Reboot.
__________________________
*I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\SYSTEM32\DRIVERS\oreans32.sys
Then click submit.
Do the same for this file: C:\WINDOWS\winnmsn.exe
and this file: C:\WINDOWS\SYSTEM32\mppathan.dll
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
On your next reply, please include a fresh HijackThis log and tell me if you are still having problems with Zonealarm also, tell me if you still can't download files directly from your pc.
As the information requested has not been provided, this topic has been archived.
Thank you Angelfire777. :crowned: