PDA

View Full Version : vitrtumonde that won't quit



crashsocott
2007-11-21, 02:22
I want to thank you for doing this service, it is tremendous and I appreciate it greatly. I have tried many, many fixes and have the icons gone now but cannot take back control of the pc. Here's the poop:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:36 PM, on 11/20/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [5c97b767] rundll32.exe "C:\WINDOWS\system32\sptsweky.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ymetray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - https://pd.txfb-ins.com/fcp/ddrint/content/iejpwenu.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O16 - DPF: {FC565433-70D3-49FA-B4F8-A5F0DA265A95} (FISERV FIPSCO Report Viewer) - http://208.137.157.32/reports/control/sfbrptview.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rhlending
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe (file missing)

--
End of file - 8328 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
11/20/2007 6:11:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/11/2007
Kaspersky Anti-Virus database records: 462434
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89200
Number of viruses found: 5
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 02:37:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\dlwixoql.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\dswtmhmj.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\exjegpqb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ngproxvf.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\peuagbsx.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\rhvqsuwb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\vntmrykt.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\xqedqkpr.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF78.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1988\A0163430.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1988\A0163432.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1988\A0163479.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1988\change.log Object is locked skipped
C:\VundoFix Backups\heuhfdfm.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\antneyyw.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\cmgemigp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\sptsweky.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\SYSTEM32\ssqnkhe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wmivylsg.exe Infected: Trojan.Win32.Obfuscated.kp skipped

Scan process completed.

pskelley
2007-11-21, 23:49
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

There is evidence Vundo is still infecting you:
O4 - HKLM\..\Run: [5c97b767] rundll32.exe "C:\WINDOWS\system32\sptsweky.dll",b

If you still need help, please do this for starters:

1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT, call it crashsocott.exe that will work, the next log after a reboot my show hidden infection.

2) O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
Remove SDFix from your computer

3) Post all logs in normal mode unless I request otherwise.

Restart and post a new HJT log

Thanks

crashsocott
2007-11-26, 01:19
I can't do anything in normal mode, it says no permissions on anything I click, won't let me do any scans or add remove anything. I deleted SDFix in safe mode and reran a HJT log. Am I beyond help? Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:25 PM, on 11/25/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [5c97b767] rundll32.exe "C:\WINDOWS\system32\wpasvelk.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\rxyocdxd.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ymetray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - https://pd.txfb-ins.com/fcp/ddrint/content/iejpwenu.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O16 - DPF: {FC565433-70D3-49FA-B4F8-A5F0DA265A95} (FISERV FIPSCO Report Viewer) - http://208.137.157.32/reports/control/sfbrptview.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rhlending
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\rxyocdxd.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe (file missing)

--
End of file - 8406 bytes

pskelley
2007-11-26, 01:41
I can't do anything in normal mode, it says no permissions on anything I click, won't let me do any scans or add remove anything. I deleted SDFix in safe mode and reran a HJT log. Am I beyond help? Thank you!I don't know, is this your computer? Are you signed in as administrator? I only asked you to do a few simple instructions and the HJT.exe was not renamed? which was the first instruction? If you can not download the tools we need, and this looks like a Vundo infection which can be tough to remove, then you might want to think about local professional help. Here is where we find out.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix report, the combofix log and a new HJT log.

Thanks

crashsocott
2007-11-26, 17:04
I am the owner, the system just says that user doesn't have permissions......... Here are the reports:


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:18:00 PM 11/20/07

Listing files found while scanning....

C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\gebcy.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\heuhfdfm.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini2
C:\windows\SYSTEM32\ycbeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:58:40 AM 11/26/07

Listing files found while scanning....

C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\jkkll.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini2
C:\windows\SYSTEM32\llkkj.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 07-11-19.4 - Owner 2007-11-26 8:45:09.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.236 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\SYSTEM32\lnnmp.ini
C:\WINDOWS\SYSTEM32\lnnmp.ini2
C:\WINDOWS\system32\pmnnl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\DomainService
-------\Iprip




((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-20 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-20 14:52 102,800 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2007-11-20 13:18 <DIR> d-------- C:\VundoFix Backups
2007-11-20 08:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-19 17:12 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-18 22:35 79,424 --a------ C:\WINDOWS\SYSTEM32\addnlrsy.dll
2007-11-18 07:34 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-11-17 08:24 36,352 --a------ C:\WINDOWS\SYSTEM32\ssqnkhe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 23:05 79,936 ----a-w C:\WINDOWS\SYSTEM32\axqayedk.dll
2007-11-25 23:03 85,056 ----a-w C:\WINDOWS\SYSTEM32\wpasvelk.dll
2007-11-25 23:03 71,232 ----a-w C:\WINDOWS\SYSTEM32\votqglof.exe
2007-11-21 13:16 85,056 ----a-w C:\WINDOWS\SYSTEM32\cbocyyjn.dll
2007-11-21 13:10 80,960 ----a-w C:\WINDOWS\SYSTEM32\jwalqpjd.dll
2007-11-21 13:10 71,232 ----a-w C:\WINDOWS\SYSTEM32\rxyocdxd.exe
2007-11-20 20:41 --------- d-----w C:\Program Files\Trend Micro
2007-11-20 14:08 84,544 ----a-w C:\WINDOWS\SYSTEM32\fahcnkej.dll
2007-11-20 14:06 85,056 ----a-w C:\WINDOWS\SYSTEM32\sptsweky.dll
2007-11-20 14:06 71,232 ----a-w C:\WINDOWS\SYSTEM32\antneyyw.exe
2007-11-19 04:38 85,056 ----a-w C:\WINDOWS\SYSTEM32\cmgemigp.dll
2007-11-19 04:32 71,232 ----a-w C:\WINDOWS\SYSTEM32\wmivylsg.exe
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-06 00:59 --------- d-----w C:\Program Files\Yahoo!
2006-09-20 14:28 64,000 -c--a-w C:\Documents and Settings\Owner\hodspoolermode.dll
2006-06-16 12:12 48,160 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-08-16 12:41 68,096 -c--a-w C:\Documents and Settings\Owner\hodprint.dll
2005-04-20 19:08 2,320 -c--a-w C:\Program Files\INSTALL.LOG
2001-09-28 21:00 164,864 -c--a-w C:\Program Files\UNWISE.EXE
2001-07-22 02:45 94,784 -csha-w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 -csha-w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fa19c52-0f6f-47e7-8903-6f1f47f95030}]
2007-11-25 17:05 79936 --a------ C:\WINDOWS\system32\axqayedk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C8E1C7B-D3EB-4B46-9F9F-76B58A3092CD}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68D5A988-CE68-441A-89D0-F0E4C3E1BE8B}]
C:\WINDOWS\system32\gebcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-17 08:24 36352 --a------ C:\WINDOWS\system32\ssqnkhe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-27 15:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 10:04]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 16:34]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-07-17 07:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-07-17 07:45]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 15:13]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 09:50]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 00:01]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\winvnc.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-17 16:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-01 12:25]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 10:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59]
"SDFix"="C:\SDFix\RunThis.bat /second" []
"5c97b767"="C:\WINDOWS\system32\wpasvelk.dll" [2007-11-25 17:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-08-27 17:03:40]
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-07-30 13:53:58]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 18:22:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2004-06-16 17:50:58]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-07-30 13:54:12]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-07-30 13:54:14]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2007-08-28 12:09:10]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\ssqnkhe.dll [2007-11-17 08:24 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnkhe]
ssqnkhe.dll 2007-11-17 08:24 36352 C:\WINDOWS\SYSTEM32\ssqnkhe.dll

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys
S3 stihp2k;stihp2k;C:\WINDOWS\system32\DRIVERS\stihp2k.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2005-08-28 19:00:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1109355699.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2005-04-25 14:53:50 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 08:51:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 8:53:57
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:37 AM, on 11/26/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\crashsocott.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {03059f74-f1f6-3098-7e74-f6f025c91af0} - {0fa19c52-0f6f-47e7-8903-6f1f47f95030} - C:\WINDOWS\system32\axqayedk.dll
O2 - BHO: (no name) - {1C8E1C7B-D3EB-4B46-9F9F-76B58A3092CD} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {68D5A988-CE68-441A-89D0-F0E4C3E1BE8B} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqnkhe.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [5c97b767] rundll32.exe "C:\WINDOWS\system32\wpasvelk.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ymetray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - https://pd.txfb-ins.com/fcp/ddrint/content/iejpwenu.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O16 - DPF: {FC565433-70D3-49FA-B4F8-A5F0DA265A95} (FISERV FIPSCO Report Viewer) - http://208.137.157.32/reports/control/sfbrptview.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rhlending
O20 - Winlogon Notify: ssqnkhe - C:\WINDOWS\SYSTEM32\ssqnkhe.dll
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe (file missing)

--
End of file - 8404 bytes

pskelley
2007-11-26, 18:08
http://www.google.com/search?hl=en&q=how+to+change+user+permissions&btnG=Google+Search
http://www.google.com/search?hl=en&q=how+to+set+user+permissions&btnG=Google+Search

VundoFix V6.6.2
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Dowload the newest Java version and uninstall all old versions in Add Remove programs.
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Java version is 1.5.0.2
Java version is 1.5.0.4
Java version is 1.5.0.6
Java version is 1.5.0.9
Java version is 1.5.0.10

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.


C:\WINDOWS\system32\axqayedk.dll
C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\wpasvelk.dll
C:\WINDOWS\SYSTEM32\votqglof.exe
C:\WINDOWS\SYSTEM32\cbocyyjn.dll
C:\WINDOWS\SYSTEM32\jwalqpjd.dll
C:\WINDOWS\SYSTEM32\rxyocdxd.exe
C:\WINDOWS\SYSTEM32\fahcnkej.dll
C:\WINDOWS\SYSTEM32\sptsweky.dll
C:\WINDOWS\SYSTEM32\antneyyw.exe
C:\WINDOWS\SYSTEM32\cmgemigp.dll
C:\WINDOWS\SYSTEM32\wmivylsg.exe

Save this as vundofix.vft and Save as type "all files"
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting


4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: {03059f74-f1f6-3098-7e74-f6f025c91af0} - {0fa19c52-0f6f-47e7-8903-6f1f47f95030} - C:\WINDOWS\system32\axqayedk.dll
O2 - BHO: (no name) - {1C8E1C7B-D3EB-4B46-9F9F-76B58A3092CD} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {68D5A988-CE68-441A-89D0-F0E4C3E1BE8B} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqnkhe.dll
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [5c97b767] rundll32.exe "C:\WINDOWS\system32\wpasvelk.dll",b
O20 - Winlogon Notify: ssqnkhe - C:\WINDOWS\SYSTEM32\ssqnkhe.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\wpasvelk.dll <<< delete file if it is still there.

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report and a new HJT log.

Thanks

crashsocott
2007-11-26, 20:55
I still can only operate in safe mode. Can't uninstall the java, permissions error that still lingers on any program icon. Can't install any new programs other than safe mode operations. Did all the other fixes you said to do though.........


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:18:00 PM 11/20/07

Listing files found while scanning....

C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\gebcy.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\heuhfdfm.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini2
C:\windows\SYSTEM32\ycbeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:58:40 AM 11/26/07

Listing files found while scanning....

C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\jkkll.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini2
C:\windows\SYSTEM32\llkkj.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\antneyyw.exe
C:\WINDOWS\SYSTEM32\antneyyw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\axqayedk.dll
C:\WINDOWS\system32\axqayedk.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cbocyyjn.dll
C:\WINDOWS\SYSTEM32\cbocyyjn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cmgemigp.dll
C:\WINDOWS\SYSTEM32\cmgemigp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fahcnkej.dll
C:\WINDOWS\SYSTEM32\fahcnkej.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jwalqpjd.dll
C:\WINDOWS\SYSTEM32\jwalqpjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rxyocdxd.exe
C:\WINDOWS\SYSTEM32\rxyocdxd.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sptsweky.dll
C:\WINDOWS\SYSTEM32\sptsweky.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\votqglof.exe
C:\WINDOWS\SYSTEM32\votqglof.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wmivylsg.exe
C:\WINDOWS\SYSTEM32\wmivylsg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpasvelk.dll
C:\WINDOWS\system32\wpasvelk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:55:08 AM 11/26/07

Listing files found while scanning....


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:13:24 AM 11/26/07

Listing files found while scanning....

No infected files were found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:27 PM, on 11/26/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\crashsocott.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {64C4AB11-CB67-49E5-A5A3-8C80C5B7BDA3} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqnkhe.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ymetray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rhlending
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rhlending
O20 - Winlogon Notify: ssqnkhe - C:\WINDOWS\SYSTEM32\ssqnkhe.dll
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe (file missing)

--
End of file - 7509 bytes

pskelley
2007-11-26, 21:05
Sounds like you may have problems other than malware, which I will not be able to help you with. Have you considered a repair of the operating system or a reinstall of the operating system?
http://www.google.com/search?hl=en&q=how+to+repair+XP&btnG=Google+Search
http://www.google.com/search?hl=en&q=how+to+reinstall+XP&btnG=Search


Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.

add these files:
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqnkhe.dll

post the Vundofix report and a new HJT log.

Thanks

crashsocott
2007-11-26, 22:50
It doesn't want to get rid of the second one you had me vundofix.......


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:33 PM, on 11/26/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\crashsocott.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3082A9C2-8EB1-4BF4-8F67-15128E966E25} - C:\WINDOWS\system32\ddcca.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {64C4AB11-CB67-49E5-A5A3-8C80C5B7BDA3} - C:\WINDOWS\system32\ssqrr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqnkhe.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ymetray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe (file missing)

--
End of file - 7332 bytes

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:18:00 PM 11/20/07

Listing files found while scanning....

C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\gebcy.dll
C:\windows\SYSTEM32\gebcy.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\heuhfdfm.dll
C:\windows\SYSTEM32\heuhfdfm.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini
C:\windows\SYSTEM32\ycbeg.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ycbeg.ini2
C:\windows\SYSTEM32\ycbeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:58:40 AM 11/26/07

Listing files found while scanning....

C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini2

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\jkkll.dll
C:\windows\SYSTEM32\jkkll.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini
C:\windows\SYSTEM32\llkkj.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\llkkj.ini2
C:\windows\SYSTEM32\llkkj.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\antneyyw.exe
C:\WINDOWS\SYSTEM32\antneyyw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\axqayedk.dll
C:\WINDOWS\system32\axqayedk.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cbocyyjn.dll
C:\WINDOWS\SYSTEM32\cbocyyjn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\cmgemigp.dll
C:\WINDOWS\SYSTEM32\cmgemigp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fahcnkej.dll
C:\WINDOWS\SYSTEM32\fahcnkej.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jwalqpjd.dll
C:\WINDOWS\SYSTEM32\jwalqpjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rxyocdxd.exe
C:\WINDOWS\SYSTEM32\rxyocdxd.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sptsweky.dll
C:\WINDOWS\SYSTEM32\sptsweky.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\votqglof.exe
C:\WINDOWS\SYSTEM32\votqglof.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wmivylsg.exe
C:\WINDOWS\SYSTEM32\wmivylsg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpasvelk.dll
C:\WINDOWS\system32\wpasvelk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:55:08 AM 11/26/07

Listing files found while scanning....


VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:13:24 AM 11/26/07

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnkhe.dll
C:\WINDOWS\system32\ssqnkhe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

pskelley
2007-11-26, 23:02
Sometime you have to get tough with them:
http://support.microsoft.com/kb/308421

Sometimes you have to add it to Vundofix several times.

or you can try this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\ssqnkhe.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Let me know.

crashsocott
2007-11-27, 22:54
I wanted to thank you very much for all your efforts. This forum is a great place with an invaluable service.

The pc is going to have to take a trip to a local to see if they can debug it though. Too many other weird things going on that are above my pay grade to decipher.

Thank you again!

pskelley
2007-11-27, 23:01
I certainly understand that, I firmly believe there are issues besides malware causing your problems. Here is information that may help you prevent this from happening in the future.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.