Computer Hope

Computer Hope Forum Welcome, Guest. Please login or register.
November 22, 2009, 03:02:21 PM
Home Help Staff Chat Login Register
News: What information should I add when submitting a question?

Computer Hope Forums  >>  Software  >>  Computer viruses and spyware (Moderator: Computer Hope Admin)  >>  Topic: Trojan? 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: 1 2 [All] - (Bottom) Print
Author Topic: Trojan?  (Read 1880 times)
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« on: October 06, 2007, 02:39:08 PM »
Hello

I have McAfee total protection (supposedly!) & spybot installed on my sons laptop.

I noticed that he was getting alot of pop ups even with pop up blockers enabled, specifically a poker one & also a spyware detected (winantispy.com) type which McAfee site advisor detects as red.

Also, the settings in the internet options keep on automatically changing themselves to accept all cookies.

And now, staring today, I can't open most applications like Spybot (nothing happens when I double click).

On startup, McAfee detects & removes a Trojan found in C:\Documents and settings\My Name\Local Settings\Temp\snfjvkte.exe. (I don't seem to be able to locate the folder named Local Settings either) McAfee describes it as generic.dx Trojan (if this helps?).

If I restart the computer, I am quickly able to start spybot but during the scan it terminates itself.

Please can someone advise?
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #1 on: October 06, 2007, 03:09:02 PM »
The Local Settings folder is hidden by default, you have to go to Tools > Folder Options > View and select Show hidden files and folders.

Obviously whatever malware that is running in the background is killing Spybot, you can manually download the newest detection updates (spybot_includes.exe) and apply them manually since you can't do it from within the application itself.

Also update McAfee and then boot into safe mode (Hit F8 during startup). Do a full McAfee scan and Spybot scan while in safe mode and remove anything nasty they find.

I also recommend that you download HiJackThis, do a scan and then post the log file here. That way myself or someone else can check to make sure you're clean.

Good luck,
JPH

HijackThis: http://www.spywareinfo.com/~merijn/programs.php

Spybot Detection Updates: http://www.safer-networking.org/en/download/
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #2 on: October 06, 2007, 03:52:44 PM »
Wow, that's some brilliant advice! I'll get back to you... thanks!
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #3 on: October 06, 2007, 04:37:59 PM »
Ok, so I updated then tried booting in safe mode, but now I have another problem...

In safe mode I can see my desktop for around 5 seconds, then it dissapears into blackness & I get the 'windows is running in safe mode' box asking me to select yes/no (no being a restore) I select yes to go into safe mode which returns me to my desktop, but the thing keeps popping back up, interrupting whatever I try to do! it happened about 10 times & in the end I just left it, the box closed itself & now all I have is a black screen with safe mode in the 4 corners & the Microsoft jargan at the top...

This isn't normal is it?
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #4 on: October 06, 2007, 05:01:58 PM »
I managed to perform a spybot scan in safe mode which found 33 items, but everytime I tried to open McAfee the safe mode pop up interrupted it.

I rebooted after the spybot findings but nothing has changed. I got 2 Trojan removal messages from McAfee & also my cookies security level was set to accept everything again.

I set my privacy to default & a few minutes later got the McAfee pop up saying that a change in the registry has been detected - obviously the little that's trying to change my cookie settings again.

I also cannot run spybot - but I did do a Hijackthis scan:
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #5 on: October 06, 2007, 05:02:42 PM »
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Louis\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #6 on: October 06, 2007, 05:03:07 PM »
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [JOYTECH USB Neo S Controller] C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmlpwcpj.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #7 on: October 06, 2007, 07:10:47 PM »
Run another HJT scan and put a check next to the following entry:

O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmlpwcpj.dll",sitypnow

Click the "Fix checked" button

Now click on Config > Misc Tools > Delete a file on reboot and browse to the following file: C:\WINDOWS\system32\hmlpwcpj.dll

Reboot and see if the problem persists.

* note - system restore might actually be restoring malware and that might be what McAfee keeps detecting. You should turn off system restore until you're clean.

Please post another HJT log file but this time before you do rename HijackThis.exe to something else, some malware will hide itself from the HijackThis.exe process.

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #8 on: October 06, 2007, 08:15:29 PM »
Thanks for all your help so far JPH, I really appreciate this...

Ok, I did what you said, only when I selected Delete a file on reboot HJT just closed. It only allowed me access that tool after renaming HJT but then I couldn't locate the file hmlpwcpj.dll (in fact, there were no files shown in the system folder) so I entered the path manually instead.

I rebooted & same thing... privacy settings changed & 2 Trojan alerts, but I can now open Spybot (which is functioning abnormally).

The 2 Trojan McAfee detections:

C:\Documents and Settings\Louis\Temporary Internet Files\Content.IE5\B6F5ZZ6W\valera[1]

C:\Documents and Settings\Louis\Local Settings\Temp\aguspaju.exe

The HJT scan log:
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #9 on: October 06, 2007, 08:16:09 PM »
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Security\bacon.exe
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #10 on: October 06, 2007, 08:16:41 PM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\flmlrjob.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [JOYTECH USB Neo S Controller] C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rpjqyixy.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #11 on: October 06, 2007, 09:20:55 PM »
Download VundoFix from here: http://vundofix.atribune.org

Do a scan with it and remove any Vundo infections it finds. Then grab the C:\VundoFix.txt file and post it here.

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #12 on: October 06, 2007, 10:11:45 PM »
## part 1 ##

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 04:28:56 07/10/2007

Listing files found while scanning....

C:\windows\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.tmp
C:\windows\system32\ceqylnuv.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\flmlrjob.dll
C:\windows\system32\knarwknb.dll
C:\WINDOWS\system32\mduqlynv.dll
C:\WINDOWS\system32\rpjqyixy.dll
C:\windows\system32\xnamrhux.ini
C:\windows\system32\xuhrmanx.dll
C:\WINDOWS\system32\yaywtqr.dll

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.bak1
C:\windows\system32\cbadd.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\system32\cbadd.tmp Has been deleted!

 Attempting to delete C:\windows\system32\ceqylnuv.dll
C:\windows\system32\ceqylnuv.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted

 Attempting to delete C:\WINDOWS\system32\flmlrjob.dll
C:\WINDOWS\system32\flmlrjob.dll Could not be deleted.

 Attempting to delete C:\windows\system32\knarwknb.dll
C:\windows\system32\knarwknb.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\mduqlynv.dll
C:\WINDOWS\system32\mduqlynv.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\rpjqyixy.dll
C:\WINDOWS\system32\rpjqyixy.dll Could not be deleted.

 Attempting to delete C:\windows\system32\xnamrhux.ini
C:\windows\system32\xnamrhux.ini Has been deleted!

 Attempting to delete C:\windows\system32\xuhrmanx.dll
C:\windows\system32\xuhrmanx.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\flmlrjob.dll
C:\WINDOWS\system32\flmlrjob.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\rpjqyixy.dll
C:\WINDOWS\system32\rpjqyixy.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #13 on: October 06, 2007, 10:13:58 PM »
## part 2 ##

Listing files found while scanning....

C:\windows\system32\cbadd.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\yaywtqr.dll

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 04:47:57 07/10/2007

Listing files found while scanning....

C:\windows\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\yaywtqr.dll

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\system32\cbadd.tmp Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 04:54:23 07/10/2007

Listing files found while scanning....

C:\windows\system32\cbadd.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\yaywtqr.dll

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

 Attempting to delete C:\windows\system32\cbadd.ini
C:\windows\system32\cbadd.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\yaywtqr.dll
C:\WINDOWS\system32\yaywtqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #14 on: October 06, 2007, 10:53:27 PM »
Great, progress....

Try and see if you can boot into safe mode now and delete the last two files...

C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\yaywtqr.dll

Before you do though run HJT again and make sure the following entries are gone, if not select them and "Fix Checked"

O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\flmlrjob.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rpjqyixy.dll",sitypnow
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #15 on: October 07, 2007, 11:27:18 AM »
HJT found:

O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll

It didn't find:

O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\flmlrjob.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rpjqyixy.dll",sitypnow

HJT failed to fix the 4, it just closed the window & the items reappeared after a scan.

Attempted to delete the following in safe mode:

C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\yaywtqr.dll

Got the message 'failed to delete... please close any applications using them'

Processes running in safe mode were:

taskmgr.exe
wmiprvse.exe
mcods.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system.idle
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #16 on: October 07, 2007, 01:17:56 PM »
neljan,

Download Process Explorer and boot into safe mode.

Open process explorer and double-click on winlogon.exe. That will open the Properties dialog, now go to the Threads tab. Highlight each thread ID instance of ddabc.dll or yaywtqr.dll and click the "Kill" button. Do the same thing for the lsass.exe process as well since newer variants are injecting into it as well. After all threads have been killed navigate to the C:\WINDOWS\system32 directory and delete both ddabc.dll and yaywtqr.dll. If you still get a failed message then check each and every safe mode process until you are sure that none of them have any ddabc.dll or yaymtqr.dll threads.

After you've deleted the files finally you should be able to delete the 4 registry entries using HJT.

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #17 on: October 07, 2007, 05:38:46 PM »
Thanks for not giving up on me JPH... your a legend

Ok, using Process Explorer I found & killed the ddabc.dll & yaywtqr.dll but couldn't at first see isass.exe.

I then tried to delete the 2 files using explorer but they were still in use...

I then went back into PE & saw that the isass.exe had it's own little group under services (double clicking it opens up a whole bunch of threads):



When I kill the isass.exe I get this pop-up:



I quickly tried did a scan with HJT before the minute was up & managed to delete:

O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll

I rebooted in safe mode & PE & HJT now show no sign of the above 4, also in explorer, only yaywtqr.dll was present, which I was able to delete.

That leaves us with isass.exe... I won't do anything else until you advise further, have the laptop in safe mode...
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #18 on: October 07, 2007, 07:00:38 PM »
neljan,

No problem, I'm glad I could help. Smiley

I'm sorry that I didn't explain about lsass.exe very well, I think you misunderstood me. What I meant was for you to check the threads being used by lsass.exe and kill any ddabc.dll or yaywtqr.dll threads that were attached to it. You don't want to kill the lsass.exe process itself, that is a necessary system process which is why your system shut itself down when you killed it.

With that being said, I think you're clean now. Wink I would post a final HJT log and run VundoFix one more time just to be sure. Also, you should uninstall all old versions of Java and get the latest version from here.

So how is it running now? No more popups I hope...

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #19 on: October 07, 2007, 07:39:55 PM »
No apologies necessary my friend...

I did a HJT scan then a VundoFix, VundoFix found 2 more items (cbadd.ini & dbadc.dll) which VundoFix removed.

I then did another HJT scan:
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #20 on: October 07, 2007, 07:40:32 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:24:56, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Security\getout.exe
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #21 on: October 07, 2007, 07:41:02 PM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [JOYTECH USB Neo S Controller] C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CaptureWiz.lnk = C:\Program Files\My Programs\CaptureWiz\Pro\CaptureWiz.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
Logged
XP Pro SP2
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #22 on: October 07, 2007, 07:48:28 PM »
I've unistalled Java & started windows normally... I had my browser idle for about 5 minutes with no pop ups/hijacks  Wink Restarted again to see if privacy settings were changed, they weren't  Grin

JPH I could kiss yu!  Kiss

How's it looking on the log?
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #23 on: October 07, 2007, 08:14:30 PM »
Great! The log file looks clean! Grin
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #24 on: October 07, 2007, 08:30:19 PM »
JPH I must admit, I had my doubts along the way, but you came through in the end fella! (or darling Huh?)

Everytime something didn't work I thought it was going to be a format job, but you kept coming back with another approach... amazing, I've never experienced such support & good direct advice before!

I can't thank you enough, my son was so dissapointed at not being able to use his laptop over the weekend, he's only 9 & he was getting 'naked lady' pop-ups, so I couldn't let him on it.

The wife will be pleased aswell, no more f'ing & blinding out of me (well, over the laptop anyway!).

So how did you come by all this knowledge? do you work in I.T?
Logged
XP Pro SP2
JPH
Intermediate
*
Posts: 210

Thanked: 0
« Reply #25 on: October 07, 2007, 08:58:19 PM »
Well if you're happy, your wife's happy and your son's happy then I'm happy. Grin
BTW, fella would be the proper distinction and yes I happen to work in IT. Wink

- JPH
Logged
neljan
Topic Starter
Adviser
*
Posts: 699

Thanked: 0
« Reply #26 on: October 07, 2007, 09:03:28 PM »
Ok darling!  Wink

I'm actually now using your advice to try & help someone else, maybe you could supervise? be nice having you around again!

http://www.computerhope.com/forum/index.php/topic,43796.0.html

Glenn
Logged
XP Pro SP2
Pages: 1 2 [All] - (Top) Print 
Computer Hope Forums  >>  Software  >>  Computer viruses and spyware (Moderator: Computer Hope Admin)  >>  Topic: Trojan? « previous next »
Jump to:  


Login with username, password and session length

Old Forum Search | Forum Rules
Copyright 1998-2008 by Computer Hope (tm). All rights reserved
Powered by SMF 1.1.8 | SMF © 2006-2008, Simple Machines LLC
Page created in 0.304 seconds with 18 queries.