Missing Control Panel

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
Hi! A friend of mine has 2 teenage boys sharing her computer with her. Unfortunately, they have visited/downloaded things they should not.

Issues:
* Cannot seem to find Control Panel as user Admin
* User Administrator is only a login option in Safe Mode, but also can not find Control Panel and has NO Password (need to set that somehow, right?)
* Can not change the clock (1 hour behind, getting error window "This operation has been cancelled due to restrictions in effect on this compoter. Please contact your system administrator." twice)

I used SuperAntiSpyware to quarantine a boatload of things (3 memory, 181 registry, 185 files) and I used SmitFraudFix to scan and fix several things. I still have the issues above.

I have not connected her PC to the internet yet. If I add her to my router, is it possible for her PC to infect my other PCs? I have downloaded things (like the tools above and HiJackThis) to a thumbdrive to put on her PC while not connected to the net. Is it safe to give her an IP address on my lan?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:53 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Eraser\Eraser.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - C:\WINNT\system32\cscdl.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {3615EE58-6F38-47BA-9DD9-C99BD611C6A6} - C:\WINNT\system32\ddcbyxw.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: Gamburg provider - {5D7B3C66-EE1C-48a7-A596-9C229E920D62} - berg2.dll (file missing)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - C:\WINNT\fobapoto.dll
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ixsjolsx] regsvr32 /u "C:\Documents and Settings\All Users.WINNT\Application Data\ixsjolsx.dll"
O4 - HKLM\..\Run: [BMa3b12406] Rundll32.exe "C:\WINNT\system32\kxlyuabo.dll",s
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKLM\..\Policies\Explorer\Run: [2PFHit5knC] C:\Documents and Settings\All Users.WINNT\Application Data\rgtkhwni\nsfstwdy.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcbyxw - C:\WINNT\SYSTEM32\ddcbyxw.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 7542 bytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
I kept getting the following message window during sdfix:
16bit MS-DOS Subsystem
SDFix
C:\PROGRA~1\\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed
Dll initialization. Choose 'Close' to terminate the application.

I chose Close dozens of times, then finally Ignore.
After the reboot, the same message came up while SDFix was finishing.

The control panel is now back in the admin account! Yea!

SDFix report:

SDFix: Version 1.165

Run by Administrator on Mon 04/07/2008 at 07:33 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
psrstbyn

Path:
system32\drivers\jvqzipdv.dat

psrstbyn - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Service psrstbyn - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\CSCDL.1 - Deleted
C:\WINNT\kaepfbgr\1.png - Deleted
C:\WINNT\kaepfbgr\2.png - Deleted
C:\WINNT\kaepfbgr\3.png - Deleted
C:\WINNT\kaepfbgr\4.png - Deleted
C:\WINNT\kaepfbgr\5.png - Deleted
C:\WINNT\kaepfbgr\6.png - Deleted
C:\WINNT\kaepfbgr\7.png - Deleted
C:\WINNT\kaepfbgr\8.png - Deleted
C:\WINNT\kaepfbgr\9.png - Deleted
C:\WINNT\kaepfbgr\bottom-rc.gif - Deleted
C:\WINNT\kaepfbgr\config.png - Deleted
C:\WINNT\kaepfbgr\content.png - Deleted
C:\WINNT\kaepfbgr\download.gif - Deleted
C:\WINNT\kaepfbgr\frame-bg.gif - Deleted
C:\WINNT\kaepfbgr\frame-bottom-left.gif - Deleted
C:\WINNT\kaepfbgr\frame-h1bg.gif - Deleted
C:\WINNT\kaepfbgr\head.png - Deleted
C:\WINNT\kaepfbgr\icon.png - Deleted
C:\WINNT\kaepfbgr\indexwp.html - Deleted
C:\WINNT\kaepfbgr\main.css - Deleted
C:\WINNT\kaepfbgr\memory-prots.png - Deleted
C:\WINNT\kaepfbgr\net.png - Deleted
C:\WINNT\kaepfbgr\pc.gif - Deleted
C:\WINNT\kaepfbgr\pc-mag.gif - Deleted
C:\WINNT\kaepfbgr\poloska1.png - Deleted
C:\WINNT\kaepfbgr\poloska2.png - Deleted
C:\WINNT\kaepfbgr\poloska3.png - Deleted
C:\WINNT\kaepfbgr\promowp1.html - Deleted
C:\WINNT\kaepfbgr\promowp2.html - Deleted
C:\WINNT\kaepfbgr\promowp3.html - Deleted
C:\WINNT\kaepfbgr\promowp4.html - Deleted
C:\WINNT\kaepfbgr\promowp5.html - Deleted
C:\WINNT\kaepfbgr\reg.png - Deleted
C:\WINNT\kaepfbgr\repair.png - Deleted
C:\WINNT\kaepfbgr\scr-1.png - Deleted
C:\WINNT\kaepfbgr\scr-2.png - Deleted
C:\WINNT\kaepfbgr\start.png - Deleted
C:\WINNT\kaepfbgr\styles.css - Deleted
C:\WINNT\kaepfbgr\top-rc.gif - Deleted
C:\WINNT\kaepfbgr\vline.gif - Deleted
C:\WINNT\kaepfbgr\wp.png - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINNT\PerfInfo\2PFHit5knCwp.exe - Deleted
C:\Program Files\ISM\archupd.exe - Deleted
C:\Program Files\ISM\dictionary.gz - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\targets.gz - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NoDNS\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\QdrPack14.exe - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\QdrModule\dic.gz - Deleted
C:\Program Files\QdrModule\kwd.gz - Deleted
C:\Program Files\QdrModule\QdrModule13.exe - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\WINNT\b116.exe - Deleted
C:\WINNT\b152.exe - Deleted
C:\WINNT\b153.exe - Deleted
C:\WINNT\b154.exe - Deleted
C:\WINNT\b155.exe - Deleted
C:\WINNT\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe - Deleted
C:\WINNT\mrofinu572.exe - Deleted
C:\WINNT\mrofinu572.exe.tmp - Deleted
C:\WINNT\system32\berg2.dll - Deleted
C:\WINNT\system32\boa1.dat - Deleted
C:\WINNT\system32\browse.dll - Deleted
C:\WINNT\system32\cmds.txt - Deleted
C:\WINNT\system32\mscorews.dll - Deleted
C:\WINNT\system32\msratnit.dll - Deleted
C:\WINNT\system32\pac.txt - Deleted
C:\WINNT\system32\ps1.dat - Deleted
C:\WINNT\system32\rc.dat - Deleted
C:\WINNT\system32\tinox1.dll - Deleted
C:\WINNT\system32\drivers\jvqzipdv.dat - Deleted



Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\NoDNS - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINNT\PerfInfo - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 07:48:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Disabled:KazaaLite"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Disabled:AOL Instant Messenger"
"D:\\2004\\CL Applications\\bin\\GeometryB Cognitive Model.exe"="D:\\2004\\CL Applications\\bin\\GeometryB Cognitive Model.exe:*:Disabled:Cognitive model for Geometry"
"D:\\2004\\CL Applications\\Cognitive Tutor LMS\\Cognitive Tutor.exe"="D:\\2004\\CL Applications\\Cognitive Tutor LMS\\Cognitive Tutor.exe:*:Disabled:Cognitive Tutor"
"D:\\2004\\CL Applications\\bin\\Algebra II Cognitive Model.exe"="D:\\2004\\CL Applications\\bin\\Algebra II Cognitive Model.exe:*:Disabled:Lisp tutor"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:MSN Messenger 7.0"
"C:\\Program Files\\Toolbar\\TBPS.exe"="C:\\Program Files\\Toolbar\\TBPS.exe:*:Disabled:WebSearch Toolbar"
"C:\\Program Files\\Toolbar\\PIB.exe"="C:\\Program Files\\Toolbar\\PIB.exe:*:Disabled:WebSearch Toolbar"
"C:\\Program Files\\Toolbar\\radio.exe"="C:\\Program Files\\Toolbar\\radio.exe:*:Disabled:WebSearch Toolbar Plugin"
"C:\\Program Files\\Toolbar\\TBPSSvc.exe"="C:\\Program Files\\Toolbar\\TBPSSvc.exe:*:Disabled:WebSearch Toolbar Service"
"C:\\WINNT\\explorer.exe"="C:\\WINNT\\explorer.exe:*:Disabled:Windows Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

###########################################
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:04 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Eraser\Eraser.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - C:\WINNT\system32\cscdl.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {3615EE58-6F38-47BA-9DD9-C99BD611C6A6} - C:\WINNT\system32\ddcbyxw.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: Gamburg provider - {5D7B3C66-EE1C-48a7-A596-9C229E920D62} - berg2.dll (file missing)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - C:\WINNT\fobapoto.dll
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ixsjolsx] regsvr32 /u "C:\Documents and Settings\All Users.WINNT\Application Data\ixsjolsx.dll"
O4 - HKLM\..\Run: [BMa3b12406] Rundll32.exe "C:\WINNT\system32\kxlyuabo.dll",s
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcbyxw - C:\WINNT\SYSTEM32\ddcbyxw.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 7288 bytes
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
The report below popped up, but after I saved the report to a thumb drive (can not get an IP renew to get on the internet), a dialog box explained that it could not remove some registry information and wanted to reboot (I said yes).

Post too long, breaking it in two.

#########################
mbam-log-4-8-2008 (09-53-55).txt
#########################
Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 193778
Time elapsed: 38 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 43
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 21
Files Infected: 150

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{daa07812-5c88-4ccc-8d25-10fef65b77b1} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{89cc26bc-9256-4cca-a7f3-b9d6c48dba71} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rabio.rabiobho (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rabio.rabiobho.1 (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{923ca88a-ae69-49af-bf65-9a3123b14ccb} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8c36d71b-0a48-4d38-9def-2a2a2669d0c9} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7543fbd5-2279-4d03-8f29-eb21531fa2fe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Rabio.RabioBHO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Rabio.DLL (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3615ee58-6f38-47ba-9dd9-c99bd611c6a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3615ee58-6f38-47ba-9dd9-c99bd611c6a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbyxw (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3615ee58-6f38-47ba-9dd9-c99bd611c6a6} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINNT\system32\iDlo01 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINNT\system32\dr6 (Adware.Rabio) -> Quarantined and deleted successfully.
C:\WINNT\system32\ech5 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\lows8 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\sbc2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\typ2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\MalwareAlarm (Rogue.Malware.Alarm) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\Awola (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Awola (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINNT\system32\awuihiyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\oyihiuwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\gqrjketr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\rtekjrqg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\jdbevjun.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\nujvebdj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\kqcbyolt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\tloybcqk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\lichgslx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xlsghcil.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xouupoif.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\fiopuuox.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\72.tmp (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\BAK15E.tmp (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\BatSetup.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\ismupd24.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\SETUP_33347\00000#Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\SETUP_33347\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\SETUP_33347\Engine.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\Microsoft\Windows\rbvaq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\WinTouch\WTUninstaller.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Local Settings\Temp\ismupd8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\un_RABCOSetup_16230.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP17\A0012874.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP24\A0019195.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP25\A0020334.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP29\A0022534.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP36\A0027833.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP38\A0029938.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP38\A0029943.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP39\A0030974.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP39\A0030976.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP39\A0030977.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0033052.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0033061.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0033063.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0033064.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0035086.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0035088.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0035089.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0037090.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0037093.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0037094.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0037106.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0041108.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0041109.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0041115.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP40\A0041116.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP41\A0043135.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP41\A0050233.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0054270.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0054272.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0054273.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0054274.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0054275.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055312.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055313.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055316.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055317.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055318.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0055319.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP42\A0059338.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0072482.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0072483.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0072485.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0072486.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0072500.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0074495.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0075496.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP44\A0076495.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP45\A0077531.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP46\A0077559.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP46\A0077573.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP46\A0077575.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP46\A0077579.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077735.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077737.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077740.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077741.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077742.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077743.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077744.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077745.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077746.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077747.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077748.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077750.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077763.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077764.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077765.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077766.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077770.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077771.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077772.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077773.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077776.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077777.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077778.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP49\A0077779.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP7\A0004389.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D7753CC-D2C6-448A-A8CA-AECF5719BE51}\RP9\A0009447.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINNT\system32\L3465.tmp (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINNT\system32\dr6\crecomdll1.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\WINNT\system32\typ2\key89104.exe (Adware.TTC) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\dictionary.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\targets.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\ExecutionDll.dll (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\RABCOse.info (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\RABCOse.original (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\Setup.log (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\un_RABCOSetup_16230.txt (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\X_RABCOse.log (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006\PGE.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Application Data\WinAntiVirus Pro 2006\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\MalwareAlarm\Uninstall.lnk (Rogue.Malware.Alarm) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\WinTouch\wintouch.cfg (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\Awola\Awola.exe (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Application Data\Awola\settings.ini (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\theresa\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk (Rogue.Awola) -> Quarantined and deleted successfully.
C:\WINNT\system32\sf.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\Fonts\alk3.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\ddcbyxw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\yayaayv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\theresa\~tmp1174.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINNT\system32\dllcache\svchost.exe.tmp (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\ryan\Local Settings\Temp\svchost.bin (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
#########################
hijackthis.log
#########################
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:48 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - C:\WINNT\system32\cscdl.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: Gamburg provider - {5D7B3C66-EE1C-48a7-A596-9C229E920D62} - berg2.dll (file missing)
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - C:\WINNT\fobapoto.dll
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ixsjolsx] regsvr32 /u "C:\Documents and Settings\All Users.WINNT\Application Data\ixsjolsx.dll"
O4 - HKLM\..\Run: [BMa3b12406] Rundll32.exe "C:\WINNT\system32\kxlyuabo.dll",s
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 6790 bytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
next to get the internet back

Download LSPfix here: http://www.cexx.org/lspfix.htm
and now run the LSPFIX application. You will see a list of files in the left hand pane and possibly some in the right hand pane. Tick the"I know what i'm doing" box & select any instances of webhdll.dll that are in the left hand keep pane and move them to the right hand remove pane, DO NOT MOVE ANY OTHER FILES, press finish and the program will do anything necessary

reboot & the net should work

then

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
The LSPFix worked great! It also fixed the Verizon issue I had (must have needed an internet connection).

I can not get ComboFix to run. I see a small rectangle that does a quick progress bar, then the desktop icons blink, then I see the flash of a blue window - looks like a DOS-type session. Then nothing.

I see that the PC has Verizon Internet Security Suite. I turned off all protection options (anti-virus, anti-spyware, etc). No good. I right-clicked from the system tray and said Exit and got a warning about no protection, said OK, but still could not get the ComboFix to run. I also saw that there were Symantec progs on here. They have Corp Ed Antivirus. I turned it off in the options, but still could not get ComboFix to run.

I would bet the Symantec is not legal, how can I remove it (add/remove has issues)? Where is a good link to get rid of *all* of the Symantec junk?

Also, should I get rid of the Verizon suite? The CombiFix instructions do not list that one in the list of how to disable tools before running ComboFix (although I did my best to disable it). Or do you think they may need it if Verizon is providing their internet service?

Here is a fresh HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:55 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - C:\WINNT\system32\cscdl.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: Gamburg provider - {5D7B3C66-EE1C-48a7-A596-9C229E920D62} - berg2.dll (file missing)
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - C:\WINNT\fobapoto.dll
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ixsjolsx] regsvr32 /u "C:\Documents and Settings\All Users.WINNT\Application Data\ixsjolsx.dll"
O4 - HKLM\..\Run: [BMa3b12406] Rundll32.exe "C:\WINNT\system32\kxlyuabo.dll",s
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 6982 bytes
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
Now that the internet is working, if I use IE, it starts up without a problem. I changed the start page to be www.google.com. But after a few seconds of just sitting there, it starts spawning new instances of IE going to various web sites. Some porn, some free junk, etc.

I also re-ran Malwarebytes' Anti-Malware and removed more malware (with the newest updated definitions). SuperAntiSpyware still reports a rootkit (but can't seem to successfully get rid of it).

ComboFix still behaves as above: quick progress bar, flashes of icons, flash of a blue screen window, then nothing.

Is SuperAntiSpyware Pro worth buying? They have a deal for $20 (US) including lifetime upgrades. Or is it better to just manually scan and update periodically?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
lets uninstall all norton stuff first

user their uninstall tool
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

then redownload combofix & see if it will work

if combofix won't work this time then

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  4. Now click the Run Scan button on the toolbar.
  5. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  6. When the scan is complete Notepad will open with the report file loaded in it.
  7. Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
Attached is the OTScanIt output. I went ahead and downloaded FireFox because IE finally went nuts and started opening dozens of windows really fast. Once I killed it in Task manager, I still get a page once every few minutes - even though ie is not running!
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


Code:
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> ixsjolsx -> %AllUsersProfile%\Application Data\ixsjolsx.dll [regsvr32 /u "C:\Documents and Settings\All Users.WINNT\Application Data\ixsjolsx.dll"]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0E5B939C-F255-4D48-94EF-CB28051D97D9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\cscdl.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {4BA002CD-3226-426D-9C3F-D0D487018DD9} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\desktop.ini\cofeno89104.dll []
YY -> {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\fobapoto.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {B6A1A116-60F5-1C75-8B28-4FE6718509E5} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\plxl.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {B7A3AC14-33AA-4A25-D828-4FE671840EB2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nympon.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {E0A7FA11-35AF-1D25-D228-4FE671850DE0} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wfxohf.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\fdpnwr.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> 10 C:\*.tmp files -> C:\*.tmp
NY -> x5qave.exe -> %SystemDrive%\x5qave.exe
NY -> core.cache.dsk -> %SystemRoot%\System32\drivers\core.cache.dsk
NY -> boisoedl.dll -> %SystemRoot%\System32\boisoedl.dll
NY -> deqxfkbs.dll -> %SystemRoot%\System32\deqxfkbs.dll
NY -> didbxfem.ini -> %SystemRoot%\System32\didbxfem.ini
NY -> duplpmna.dll -> %SystemRoot%\System32\duplpmna.dll
NY -> ejkqmqjm.dll -> %SystemRoot%\System32\ejkqmqjm.dll
NY -> faxdjjix.dll -> %SystemRoot%\System32\faxdjjix.dll
NY -> gpumgtea.ini -> %SystemRoot%\System32\gpumgtea.ini
NY -> hrtvfqhk.dll -> %SystemRoot%\System32\hrtvfqhk.dll
NY -> jdtgvtjh.ini -> %SystemRoot%\System32\jdtgvtjh.ini
NY -> jixlsmjp.dll -> %SystemRoot%\System32\jixlsmjp.dll
NY -> khadfoop.dll -> %SystemRoot%\System32\khadfoop.dll
NY -> ltluhmvy.dll -> %SystemRoot%\System32\ltluhmvy.dll
NY -> march_madness.ico -> %SystemRoot%\System32\march_madness.ico
NY -> mlJCTMef.dll -> %SystemRoot%\System32\mlJCTMef.dll
NY -> mnqnjqnn.ini -> %SystemRoot%\System32\mnqnjqnn.ini
NY -> nesmmico.dll -> %SystemRoot%\System32\nesmmico.dll
NY -> njiowqjq.dll -> %SystemRoot%\System32\njiowqjq.dll
NY -> oldfeffx.ini -> %SystemRoot%\System32\oldfeffx.ini
NY -> orxxldti.ini -> %SystemRoot%\System32\orxxldti.ini
NY -> oypanlcm.dll -> %SystemRoot%\System32\oypanlcm.dll
NY -> ppbdgswg.dll -> %SystemRoot%\System32\ppbdgswg.dll
NY -> ptlamqwp.dll -> %SystemRoot%\System32\ptlamqwp.dll
NY -> sdhmhxjv.dll -> %SystemRoot%\System32\sdhmhxjv.dll
NY -> txvkhyav.dll -> %SystemRoot%\System32\txvkhyav.dll
NY -> vjyjpnve.ini -> %SystemRoot%\System32\vjyjpnve.ini
NY -> vleuysoj.dll -> %SystemRoot%\System32\vleuysoj.dll
NY -> xiokwnql.dll -> %SystemRoot%\System32\xiokwnql.dll
NY -> xvnjqjjk.dll -> %SystemRoot%\System32\xvnjqjjk.dll
NY -> xwqnwmwf.dll -> %SystemRoot%\System32\xwqnwmwf.dll
NY -> yilwgwsy.ini -> %SystemRoot%\System32\yilwgwsy.ini
NY -> ?racle -> %SystemRoot%\System32\&#927;racle
NY -> 15 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> ?ystem32 -> %SystemRoot%\System32\&#1109;ystem32
NY -> 14 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
NY -> fobapoto.dll -> %SystemRoot%\fobapoto.dll
NY -> F?nts -> %SystemRoot%\F&#1086;nts
NY -> kaepfbgr -> %SystemRoot%\kaepfbgr
NY -> pyxsjyrw.dll -> %SystemRoot%\pyxsjyrw.dll
NY -> W?nSxS -> %SystemRoot%\W&#1110;nSxS
NY -> ?ymbols -> %SystemRoot%\&#1109;ymbols
NY -> ?dobe -> %SystemRoot%\&#1040;dobe
NY -> ?icrosoft.NET -> %SystemRoot%\&#1052;icrosoft.NET
NY -> ?asks -> %SystemRoot%\&#1058;asks
[Files/Folders - Modified Within 30 days]
NY -> 10 C:\*.tmp files -> C:\*.tmp
NY -> 132 C:\Documents and Settings\admin\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\admin\Local Settings\Temp\*.tmp
NY -> 132 C:\Documents and Settings\admin\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\admin\Local Settings\Temp\*.tmp
NY -> 132 C:\Documents and Settings\admin\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\admin\Local Settings\Temp\*.tmp
[Extra Files]
Purity
[Empty Temp Folders]
[ZipFiles]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
 

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
Weird stuff... OTScanIt would change the text I pasted and then hang. It created a set of folders under its home dir, but nothing. I let it go for 35 minutes, nothing. I killed it and tried again, but nothing. I copied the text from this thread to notepad and saved it as a text file, and I got a message about unicode characters. I pasted the text file into OTScanIt and still it hung. I even rebooted into safe mode and tried it and I got the same thing - and now 4 sets of empty directories under its home dir (top level is timestamped in its name).

I went back to normal mode and tried ComboFix and it worked!!! Hooray!!! So, the ComboFix log is attached and the HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:16 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINNT\explorer.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - C:\WINNT\system32\cscdl.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - C:\WINNT\fobapoto.dll
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 6152 bytes
 

Attachments

CRodgers

Thread Starter
Joined
Sep 23, 2007
Messages
17
After several iterations of SuperAntiSpyware, Malwarebytes' Anti-Malware, Verizon's anti-spyware, and combofix, I finally came up with all 3 scanners saying that I am clean. From the Hijack log, does it look like it?

Is there anything else I need to look for? Over the last few days of anti-spyware tools, I would get one to say clean, another to say found a few things. Once I fixed those, then the other would complain about a couple more that it had not seen just a few hours before. Hopefully it is all gone now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:30 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {0E5B939C-F255-4D48-94EF-CB28051D97D9} - (no file)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {4BA002CD-3226-426D-9C3F-D0D487018DD9} - C:\Program Files\desktop.ini\cofeno89104.dll (file missing)
O2 - BHO: (no name) - {84c2365c-1dd2-11b2-8102-af6a6a6cb28e} - (no file)
O2 - BHO: (no name) - {B6A1A116-60F5-1C75-8B28-4FE6718509E5} - C:\WINNT\system32\plxl.dll (file missing)
O2 - BHO: (no name) - {B7A3AC14-33AA-4A25-D828-4FE671840EB2} - C:\WINNT\system32\nympon.dll (file missing)
O2 - BHO: (no name) - {E0A7FA11-35AF-1D25-D228-4FE671850DE0} - C:\WINNT\system32\wfxohf.dll (file missing)
O2 - BHO: (no name) - {E6A6FB16-34F9-4B27-DC28-4FE671820BB2} - C:\WINNT\system32\fdpnwr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINNT\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110507865433
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\kyze.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Internet Explorer\howysy.html

--
End of file - 6423 bytes
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top