Login | Live Chat & Podcast at 1:00PM Eastern on Sunday! |
 Search | |
| |
| Thread Tools |
13-Oct-2007, 12:36 PM
#1 | ||||||
| Security Tool Bar 7.1 Seem to have aquired this pesky tool bar. what are the steps that I need to do to rid my laptop of this invader? Thanks |
| |
13-Oct-2007, 06:46 PM
#2 | |||||
| Click here to download HJTInstall.exe
|
14-Oct-2007, 12:08 PM
#3 | ||||||
| Thanks for the response. Here is the HJTlog Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:48 AM, on 10/14/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\acs.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\LEXPPS.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe C:\WINNT\system32\IFXSPMGT.exe C:\WINNT\system32\IFXTCS.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\Program Files\Novadigm\radexecd.exe C:\Program Files\Novadigm\radsched.exe C:\Program Files\Novadigm\Radstgms.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe C:\WINNT\system32\CCM\CcmExec.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe C:\WINNT\system32\msiexec.exe C:\WINNT\system32\Ati2evxx.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\AccelerometerSt.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\McAfee\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\WINNT\SM1BG.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Communication Now\2119264\Program\Communication Now.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Documents and Settings\CRODRIG6\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://chlweb/connect/connect/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Countrywide R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PLAPROXY:80 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\system32\mgqevfyn.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINNT\system32\hwlcnpri.dll O2 - BHO: (no name) - {AC4E74C1-B02F-40AC-9820-E7FFC691DAF5} - C:\WINNT\system32\vturo.dll (file missing) O2 - BHO: (no name) - Ð"å - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINNT\system32\hwlcnpri.dll O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINNT\system32\AccelerometerSt.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [MobileCfgMgr] C:\Program Files\Mobile Configuration Manager\MobileCfgMgr.exe Activate O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [zCMDConnectLaunch] C:\Program Files\CmdConnectLaunch\CmdConnectLauncher.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=102907 serial=DR12WUX-0603870-NUJ lang=EN O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Communication Now] "C:\Program Files\Communication Now\2119264\Program\Communication Now.exe" -startup O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\system32\tyotales.dll",sitypnow O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Connect Up.lnk = C:\Program Files\Communication Now\2119264\Program\Communication Now.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - Global Startup: F1U201.401.lnk = ? O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.cwinsider.com O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O20 - Winlogon Notify: DeviceNP - C:\WINNT\SYSTEM32\DeviceNP.dll O20 - Winlogon Notify: hwlcnpri - C:\WINNT\SYSTEM32\hwlcnpri.dll O20 - Winlogon Notify: iifdded - iifdded.dll (file missing) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINNT\System32\flcdlock.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINNT\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINNT\system32\IFXTCS.exe O23 - Service: IgniteService - Ignite Technologies - C:\Program Files\Communication Now\2119264\Program\IgniteService.exe O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard Company - C:\Program Files\Novadigm\radexecd.exe O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- End of file - 12854 bytes |
14-Oct-2007, 03:06 PM
#4 | |||||
| You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Next, please reboot your computer in Safe Mode by doing the following :
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning: running option #2 on a non infected computer will remove your Desktop background. ============================== Download Superantispyware (SAS) free home version http://www.superantispyware.com/supe...freevspro.html Install it and double-click the icon on your desktop to run it. · It will ask if you want to update the program definitions, click Yes. · Under Configuration and Preferences, click the Preferences button. · Click the Scanning Control tab. · Under Scanner Options make sure the following are checked: o Close browsers before scanning o Scan for tracking cookies o Terminate memory threats before quarantining. o Please leave the others unchecked. o Click the Close button to leave the control center screen. · On the main screen, under Scan for Harmful Software click Scan your computer. · On the left check C:\Fixed Drive. · On the right, under Complete Scan, choose Perform Complete Scan. · Click Next to start the scan. Please be patient while it scans your computer. · After the scan is complete a summary box will appear. Click OK. · Make sure everything in the white box has a check next to it, then click Next. · It will quarantine what it found and if it asks if you want to reboot, click Yes. · To retrieve the removal information for me please do the following: o After reboot, double-click the SUPERAntispyware icon on your desktop. o Click Preferences. Click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o It will open in your default text editor (such as Notepad/Wordpad). o Please highlight everything in the notepad, then right-click and choose copy. · Click close and close again to exit the program. · Please paste that information here for me regardless of what it finds with a new HijackThis log. This will take some time!!!!!!!! |
15-Oct-2007, 04:27 PM
#5 | ||||||
| Ran all processes, pretty sure it eliminated the infestation. however SmitfraudFix seems to have deleted my imaged desktop. links to programs I use at the workplace namely a desktop link to LotusNotes. please advise. Here are the reports. Rapport.txt SmitFraudFix v2.240 Scan done at 10:02:50.78, Mon 10/15/2007 Run from C:\Documents and Settings\CRODRIG6\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: D-Link AirPlus Xtreme G DWL-G650 Adapter - Packet Scheduler Miniport DNS Server Search Order: 66.75.164.90 DNS Server Search Order: 66.75.164.89 HKLM\SYSTEM\CCS\Services\Tcpip\..\{A752AB17-B080-496D-B311-C838C9173F49}: DhcpNameServer=66.75.164.90 66.75.164.89 HKLM\SYSTEM\CS1\Services\Tcpip\..\{A752AB17-B080-496D-B311-C838C9173F49}: DhcpNameServer=66.75.164.90 66.75.164.89 HKLM\SYSTEM\CS2\Services\Tcpip\..\{A752AB17-B080-496D-B311-C838C9173F49}: DhcpNameServer=66.75.164.90 66.75.164.89 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeText"="This computer system is property of Countrywide Financial Corporation and is provided only for authorized use. Unauthorized use or access of this system is prohibited. Unauthorized use may subject you to civil liability or criminal prosecution. Countrywide reserves the right to monitor all use of this system." "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Scan Log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/15/2007 at 12:05 PM Application Version : 3.9.1008 Core Rules Database Version : 3324 Trace Rules Database Version: 1325 Scan type : Complete Scan Total Scan Time : 01:38:06 Memory items scanned : 687 Memory threats detected : 0 Registry items scanned : 7624 Registry threats detected : 30 File items scanned : 76372 File threats detected : 38 Unclassified.Unknown Origin HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32 HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel C:\WINNT\SYSTEM32\HWLCNPRI.DLL HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583} HKU\S-1-5-21-2139973840-330310611-1108620047-73717\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583} Adware.Vundo Variant HKLM\Software\Classes\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\InprocServer32 HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}\InprocServer32#ThreadingModel C:\WINNT\SYSTEM32\IIFDDED.DLL HKLM\Software\Classes\CLSID\{89AD4D75-2429-462e-BD4E-443F233F6033} HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033} HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32 HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel C:\WINNT\SYSTEM32\MGQEVFYN.DLL HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32 HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ 178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} HKCR\CLSID\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033} HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} Trojan.WinFixer HKLM\Software\Classes\CLSID\{AC4E74C1-B02F-40AC-9820-E7FFC691DAF5} HKCR\CLSID\{AC4E74C1-B02F-40AC-9820-E7FFC691DAF5} HKCR\CLSID\{AC4E74C1-B02F-40AC-9820-E7FFC691DAF5}\InprocServer32 HKCR\CLSID\{AC4E74C1-B02F-40AC-9820-E7FFC691DAF5}\InprocServer32#ThreadingModel C:\WINNT\SYSTEM32\VTURO.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC4E74C1-B02F-40AC-9820-E7FFC691DAF5} Adware.Tracking Cookie C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@ads.techguy[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@da-tracking[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@redirect.clickshield[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@bridge.admarketplace[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@atdmt[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@revenue[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@tremor.adbureau[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@goclick[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@yadro[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@sexbuddies[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@redorbit[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@ehg-maniatv.hitbox[1].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@bestsellerantivirus[2].txt C:\Documents and Settings\CRODRIG6\Cookies\crodrig6@enhance[1].txt Trojan.Unknown Origin C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO1.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO10.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO11.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO12.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO13.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO132.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO133.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO134.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO135.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO136.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO19.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO1A.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO1B.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO1C.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO1D.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO2.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO3.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO4.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICO5.TMP C:\DOCUMENTS AND SETTINGS\CRODRIG6\LOCAL SETTINGS\TEMP\ICOF.TMP HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:27:11 PM, on 10/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\acs.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\LEXPPS.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe C:\WINNT\system32\IFXSPMGT.exe C:\WINNT\system32\IFXTCS.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\Program Files\Novadigm\radexecd.exe C:\Program Files\Novadigm\radsched.exe C:\Program Files\Novadigm\Radstgms.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe C:\WINNT\system32\CCM\CcmExec.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe C:\WINNT\system32\Ati2evxx.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\AccelerometerSt.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\AGRSMMSG.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\McAfee\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\WINNT\SM1BG.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\Communication Now\2119264\Program\Communication Now.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\CRODRIG6\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://chlweb/connect/connect/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Countrywide R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PLAPROXY:80 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - Ð"å - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINNT\system32\AccelerometerSt.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [MobileCfgMgr] C:\Program Files\Mobile Configuration Manager\MobileCfgMgr.exe Activate O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [zCMDConnectLaunch] C:\Program Files\CmdConnectLaunch\CmdConnectLauncher.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=102907 serial=DR12WUX-0603870-NUJ lang=EN O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Communication Now] "C:\Program Files\Communication Now\2119264\Program\Communication Now.exe" -startup O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\system32\tyotales.dll",sitypnow O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Connect Up.lnk = C:\Program Files\Communication Now\2119264\Program\Communication Now.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - Global Startup: F1U201.401.lnk = ? O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.cwinsider.com O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: DeviceNP - C:\WINNT\SYSTEM32\DeviceNP.dll O20 - Winlogon Notify: hwlcnpri - hwlcnpri.dll (file missing) O20 - Winlogon Notify: iifdded - iifdded.dll (file missing) O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINNT\System32\flcdlock.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINNT\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINNT\system32\IFXTCS.exe O23 - Service: IgniteService - Ignite Technologies - C:\Program Files\Communication Now\2119264\Program\IgniteService.exe O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard Company - C:\Program Files\Novadigm\radexecd.exe O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- End of file - 12116 bytes Thanks |
15-Oct-2007, 05:25 PM
#6 | |||||
| You may want to print this or save it to notepad as we will go to safe mode. Fix these with HiJackThis – mark them, close IE, click fix checked O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\system32\tyotales.dll",sitypnow O20 - Winlogon Notify: hwlcnpri - hwlcnpri.dll (file missing) O20 - Winlogon Notify: iifdded - iifdded.dll (file missing) DownLoad http://www.downloads.subratam.org/KillBox.zip or http://www.thespykiller.co.uk/files/killbox.exe Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode: Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. Make sure you get these exact file names C:\WINNT\system32\tyotales.dll Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any. START – RUN – type in %temp% - OK - Edit – Select all – File – Delete Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp Not all temp files will delete and that is normal Empty the recycle bin Boot and post a new hijack log from normal NOT safe mode How are things on the PC??????????? |
15-Oct-2007, 07:46 PM
#7 | ||||||
| Aside from my company imaged desktop, everything seems to be working. Thanks Is there anyway to retrieve it? HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:43:30 PM, on 10/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\acs.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe C:\WINNT\system32\IFXSPMGT.exe C:\WINNT\system32\IFXTCS.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe C:\WINNT\system32\CCM\CcmExec.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe C:\WINNT\system32\msiexec.exe C:\WINNT\system32\Ati2evxx.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe C:\Program Files\Novadigm\Radstgms.exe C:\Program Files\Novadigm\radexecd.exe C:\Program Files\Novadigm\radsched.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\AccelerometerSt.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\McAfee\Common Framework\UpdaterUI.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\WINNT\SM1BG.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Communication Now\2119264\Program\Communication Now.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\CRODRIG6\Desktop\Utilities\NewCleaners\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://chlweb/connect/connect/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Countrywide R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PLAPROXY:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.chlweb.net;*.ten-net.net;172.17.*;172.18.*;63.166.*;63.167.*;*.cwinsider.com;*.countrywide.c om;*.cwbc.com;*.dynamicdox.com;*.ukvaluation.com;*.aws.neteps.com;*.awseps. com;isnetaccess;eqnxtrv;*.wldnss.com;eclaims.balboainsurance.com;*.landsafe credit.com;viola;simdido;pladido;*.goldworks.com;*.landsafe.com;iwasp01p;16 6.73.211.*;*.rentersins.com;eportal.fnfismd.com;172.20.*;*.policyxpress.com ;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - Ð"å - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINNT\system32\AccelerometerSt.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [MobileCfgMgr] C:\Program Files\Mobile Configuration Manager\MobileCfgMgr.exe Activate O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [zCMDConnectLaunch] C:\Program Files\CmdConnectLaunch\CmdConnectLauncher.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=102907 serial=DR12WUX-0603870-NUJ lang=EN O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Communication Now] "C:\Program Files\Communication Now\2119264\Program\Communication Now.exe" -startup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: ACS.lnk = ? O4 - Global Startup: Connect Up.lnk = C:\Program Files\Communication Now\2119264\Program\Communication Now.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - Global Startup: F1U201.401.lnk = ? O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.cwinsider.com O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: DeviceNP - C:\WINNT\SYSTEM32\DeviceNP.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINNT\System32\flcdlock.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINNT\system32\IFXSPMGT.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINNT\system32\IFXTCS.exe O23 - Service: IgniteService - Ignite Technologies - C:\Program Files\Communication Now\2119264\Program\IgniteService.exe O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard Company - C:\Program Files\Novadigm\radexecd.exe O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- End of file - 12498 bytes |
15-Oct-2007, 09:23 PM
#8 | |||||
| Get your IT folks to bring it back Clean  If you feel its is fixed mark it solved via Thread Tools above Turn off restore points, boot, turn them back on - here’s how http://service1.symantec.com/SUPPORT...rc=sec_doc_nam This clears infected restore points and sets a new, clean one. |
|
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 02:03 AM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile