Jump to content
Sign in to follow this  
mmcd926

Help! Lots of pop ups--HJT Log

Recommended Posts

Please help. One of my computers is infested with something. So much so that I can't use it. I started getting all kinds of pop ups. Spybot keeps terminating something over and over that's trying to run. Thank you for any help that you can give me. Here is my HJT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:16:56 AM, on 6/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\rnmiaabp.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\WINDOWS\avp.exe

C:\WINDOWS\mgrs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\DOCUME~1\MMCDAN~1\APPLIC~1\SCURIT~1\winword.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\Desktop\HiJackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exe

C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexexchpls.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\raalxdjx.dll

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

O4 - HKLM\..\Run: [smgr] mgrs.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [upts] "C:\DOCUME~1\MMCDAN~1\APPLIC~1\SCURIT~1\winword.exe" -vt yazb

O4 - HKCU\..\Run: [Xlvw] "C:\Program Files\Common Files\??stem\n?tdde.exe"

O4 - Startup: Lock Down.lnk = C:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: DriveMap.bat

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (Crystal ActiveX Report Viewer Control 11.0) - http://time.xxxxxxxxxx.com/Stromberg/eSup...tiveXViewer.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132958503750

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.xxxxxxxxxx.net/viewer/act...tivexviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.xxxxxxx.net

O17 - HKLM\Software\..\Telephony: DomainName = corporate.xxxxxxxxx.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxx.net

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: DomainService - - C:\WINDOWS\system32\rnmiaabp.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\zysomaj.html

 

--

End of file - 4293 bytes

Edited by mmcd926

Share this post


Link to post
Share on other sites

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.

 

 

 

 

Hi and Welcome

 

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

* Open Spybot Search & Destroy.

* In the Mode menu click "Advanced mode" if not already selected.

* Choose "Yes" at the Warning prompt.

* Expand the "Tools" menu.

* Click "Resident".

* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

* In the File menu click "Exit" to exit Spybot Search & Destroy.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\raalxdjx.dll

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

O4 - HKLM\..\Run: [smgr] mgrs.exe

O4 - HKCU\..\Run: [upts] "C:\DOCUME~1\MMCDAN~1\APPLIC~1\SCURIT~1\winword.exe" -vt yazb

O4 - HKCU\..\Run: [Xlvw] "C:\Program Files\Common Files\??stem\n?tdde.exe"

O4 - Startup: Lock Down.lnk = C:\WINDOWS\system32\rundll32.exe

O23 - Service: DomainService - - C:\WINDOWS\system32\rnmiaabp.exe

O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\zysomaj.html

 

 

 

 

 

 

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Posted Image

 

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log taken after the above scan has run.

 

You DO NOT need to have the Windows CD to install Recovery Console!

Windows 2000 users will need to install the Recovery Console from their installation CD

 

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Share this post


Link to post
Share on other sites

Thank you so much for your help.

 

I did everything in your post. Here are the logs from Combofix and HJT:

 

 

 

ComboFix 08-06-20.4 - 2008-07-01 11:16:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.81 [GMT -4:00]

Running from: C:\Documents and Settings\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

C:\Documents and Settings\Application Data\SCURIT~1

C:\Documents and Settings\Application Data\SCURIT~1\s?curity\

C:\Documents and Settings\Application Data\SCURIT~1\winword.exe

C:\Documents and Settings\Application Data\YMBOLS~1

C:\Documents and Settings\Desktop\Live Safety Center.lnk

C:\Documents and Settings\Desktop\Online Security Guide.lnk

C:\Documents and Settings\Favorites\Online Security Guide.lnk

C:\Documents and Settings\Start Menu\Programs\Outerinfo

C:\Documents and Settings\Start Menu\Programs\Outerinfo\Terms.lnk

C:\Documents and Settings\Start Menu\Programs\Outerinfo\Uninstall.lnk

C:\Documents and Settings\NetworkService\Application Data\NetMon

C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt

C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt

C:\Program Files\Common Files\ryxyf4444.dll

C:\Program Files\Common Files\ryxyf83122.dll

C:\Program Files\Common Files\stem~1

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

C:\Program Files\IE Extensions

C:\Program Files\network monitor

C:\Program Files\network monitor\netmon.exe

C:\Program Files\outerinfo

C:\Program Files\outerinfo\FF\chrome.manifest

C:\Program Files\outerinfo\FF\components\FF.dll

C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt

C:\Program Files\outerinfo\FF\install.rdf

C:\Program Files\outerinfo\Terms.rtf

C:\Program Files\spoolsv.exe

C:\Program Files\Temporary

C:\Program Files\Temporary\wininstall.exe

C:\Program Files\WinAble

C:\Program Files\WinAble\winable.exe

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\Temp\abW9

C:\Temp\abW9\tPho.log

C:\temp\tn3

C:\WINDOWS\17PHolmes572.exe

C:\WINDOWS\avp.exe

C:\WINDOWS\b122.exe

C:\WINDOWS\installer\ceede.msi

C:\WINDOWS\mgrs.exe

C:\WINDOWS\system32\alog.txt

C:\WINDOWS\system32\atmtd.dll

C:\WINDOWS\system32\atmtd.dll._

C:\WINDOWS\system32\c1

C:\WINDOWS\system32\c1\baslook11.exe

C:\WINDOWS\system32\cmds.txt

C:\WINDOWS\system32\conf.dat

C:\WINDOWS\system32\cookie1.dat

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\core.sys

C:\WINDOWS\system32\ehkmp.ini

C:\WINDOWS\system32\ehkmp.ini2

C:\WINDOWS\system32\hggdeby.dll

C:\WINDOWS\system32\j2

C:\WINDOWS\system32\j2\ppjup83122.exe

C:\WINDOWS\system32\khfedaw.dll

C:\WINDOWS\system32\lelalpcr.dll

C:\WINDOWS\system32\lruxhnnv.dll

C:\WINDOWS\system32\m8

C:\WINDOWS\system32\m8\nsts2dll1.exe

C:\WINDOWS\system32\pmkhe.dll

C:\WINDOWS\system32\ps1.dat

C:\WINDOWS\system32\raalxdjx.dll

C:\WINDOWS\system32\raalxdjx.dllbox

C:\WINDOWS\system32\rc.dat

C:\WINDOWS\system32\rcplalel.ini

C:\WINDOWS\system32\rozmchild.dll

C:\WINDOWS\system32\rqrpqnn.dll

C:\WINDOWS\system32\rxkkhgab.exe

C:\WINDOWS\system32\urqrpno.dll

C:\WINDOWS\system32\wnsintsv32.exe

C:\WINDOWS\system32\wrvre.dll

C:\WINDOWS\tk58.exe

C:\WINDOWS\TTC-4444.exe

C:\WINDOWS\uninstall_nmon.vbs

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CMDSERVICE

-------\Legacy_CORE

-------\Legacy_DOMAINSERVICE

-------\Legacy_NETWORK_MONITOR

-------\Service_core

-------\Service_DomainService

 

 

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))

.

 

2008-07-01 11:23 . 2008-07-01 11:24 414 ---hs---- C:\WINDOWS\system32\raalxdjx.dllbox

2008-07-01 10:46 . 2008-07-01 10:46 20,480 --a------ C:\Program Files\98609.exe

2008-07-01 10:46 . 2008-07-01 10:46 20,480 --a------ C:\Program Files\111046.exe

2008-07-01 10:46 . 2008-07-01 10:46 20,480 --a------ C:\Program Files\110968.exe

2008-07-01 10:46 . 2008-07-01 10:46 20,480 --a------ C:\Program Files\110921.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-01 15:20 145,984 ------w C:\WINDOWS\system32\raalxdjx.dll

2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q29ubmV4dGlvbnM\asappsrv.dll

2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q29ubmV4dGlvbnM\command.exe

2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q29ubmV4dGlvbnM\kZ6RvApbx35SvBg.vbs

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

2008-07-01 11:20 145984 --------- C:\WINDOWS\system32\raalxdjx.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= "C:\WINDOWS\system32\raalxdjx.dll" [2008-07-01 11:20 145984]

 

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 04:36 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-01-05 21:59 139264]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DriveMap.bat [2005-03-01 13:33:54 195]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-26 10:50:05 389120]

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\raalxdjx]

raalxdjx.dll 2008-07-01 11:20 145984 C:\WINDOWS\system32\raalxdjx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-521411087-1323183334-1539857752-17938\Scripts\Logon\0\0]

"Script"=\\orcxdc04\NETLOGON\DST_Update\dstxpup.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-521411087-1323183334-1539857752-6808\Scripts\Logon\0\0]

"Script"=\\Wkpsdc\NETLOGON\wgrunlocaladmin.vbe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\WINDOWS\system32\rnmiaabp.exe"= C:\WINDOWS\system32\rnm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-01 11:24:03

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\WINDOWS\system32\raalxdjx.dllbox 414 bytes

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\raalxdjx.dll

 

PROCESS: C:\WINDOWS\explorer.exe

-> C:\WINDOWS\system32\raalxdjx.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\BIN\omtsreco.exe

.

**************************************************************************

.

Completion time: 2008-07-01 11:26:30 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-01 15:26:20

 

Pre-Run: 31,141,785,600 bytes free

Post-Run: 31,224,434,688 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

179

 

 

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:31, on 2008-07-01

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\raalxdjx.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\raalxdjx.dll

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: DriveMap.bat

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (Crystal ActiveX Report Viewer Control 11.0) - http://time.xxxxxxxx.com/Stromberg/eSuperv...tiveXViewer.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132958503750

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.xxxxxxxxx.net/viewer/active...tivexviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxx.net

O17 - HKLM\Software\..\Telephony: DomainName = corporate.xxxxxxxx.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxx.net

O20 - Winlogon Notify: raalxdjx - C:\WINDOWS\SYSTEM32\raalxdjx.dll

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

 

--

End of file - 4054 bytes

Share this post


Link to post
Share on other sites

Welcome back

 

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\raalxdjx.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O20 - Winlogon Notify: raalxdjx - C:\WINDOWS\SYSTEM32\raalxdjx.dll

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

 

File::

C:\WINDOWS\system32\raalxdjx.dllbox

C:\WINDOWS\system32\raalxdjx.dll

C:\Program Files\98609.exe

C:\Program Files\111046.exe

C:\Program Files\110968.exe

C:\Program Files\110921.exe

 

Folder::

C:\WINDOWS\Q29ubmV4dGlvbnM

C:\WINDOWS\system32\rnm

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-

[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\raalxdjx]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\WINDOWS\system32\rnmiaabp.exe"=-

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

 

NEXT**

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

 

 

In your next reply, please post:

ComboFix.txt

Malwarebytes' Anti-Malware log

New HijackThis log taken after the above scans have run

 

Give me an update on how the machine is at the moment.

Share this post


Link to post
Share on other sites

There are no more pop ups. The computer seems to be running fine. I don't really want to start using it again until I'm sure it's clean. I did everything you said to do. Here are the logs:

 

ComboFix 08-07-01.5 - MMcdaniel 2008-07-02 12:27:25.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.134 [GMT -4:00]

Running from: C:\Documents and Settings\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

C:\Program Files\110921.exe

C:\Program Files\110968.exe

C:\Program Files\111046.exe

C:\Program Files\98609.exe

C:\WINDOWS\system32\raalxdjx.dll

C:\WINDOWS\system32\raalxdjx.dllbox

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\110921.exe

C:\Program Files\110968.exe

C:\Program Files\111046.exe

C:\Program Files\98609.exe

C:\WINDOWS\Q29ubmV4dGlvbnM

C:\WINDOWS\Q29ubmV4dGlvbnM\asappsrv.dll

C:\WINDOWS\Q29ubmV4dGlvbnM\command.exe

C:\WINDOWS\Q29ubmV4dGlvbnM\kZ6RvApbx35SvBg.vbs

C:\WINDOWS\system32\raalxdjx.dll

C:\WINDOWS\system32\raalxdjx.dllbox

 

.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.

 

No new files created in this timespan

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

((((((((((((((((((((((((((((( snapshot@2008-07-01_11.25.53.52 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-07-01 15:22:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-07-02 16:29:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-01-05 21:59 139264]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DriveMap.bat [2005-03-01 13:33:54 195]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-26 10:50:05 389120]

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-521411087-1323183334-1539857752-17938\Scripts\Logon\0\0]

"Script"=\\orcxdc04\NETLOGON\DST_Update\dstxpup.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-521411087-1323183334-1539857752-6808\Scripts\Logon\0\0]

"Script"=\\Wkpsdc\NETLOGON\wgrunlocaladmin.vbe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\WINDOWS\system32\rnmiaabp.exe"= C:\WINDOWS\system32\rnm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 12:30:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\BIN\omtsreco.exe

.

**************************************************************************

.

Completion time: 2008-07-02 12:32:46 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-02 16:32:41

ComboFix2.txt 2008-07-01 15:26:31

 

Pre-Run: 31,527,227,392 bytes free

Post-Run: 31,521,370,112 bytes free

 

86

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Malwarebytes' Anti-Malware 1.19

Database version: 914

Windows 5.1.2600 Service Pack 2

 

13:03:26 2008-07-02

mbam-log-7-2-2008 (13-03-26).txt

 

Scan type: Quick Scan

Objects scanned: 52307

Time elapsed: 2 minute(s), 38 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2abaac42-84df-4c00-89da-bc7eb2b0e70b} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:04, on 2008-07-02

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Desktop\HiJackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {8290F7B1-B996-49D7-A73C-C84EC0BED558} - (no file)

O2 - BHO: (no name) - {833AD0E3-51C9-40E1-A21F-2D033D0B7E4B} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O2 - BHO: (no name) - {B552B8A4-76AC-4e8c-A469-C1585B111116} - (no file)

O2 - BHO: (no name) - {BA6C03C0-0FEA-46A5-8FFF-F102D871E5B8} - (no file)

O2 - BHO: (no name) - {FC3DDA79-D1D4-47e4-A38E-27C8C1FEAB5E} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - Global Startup: DriveMap.bat

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (Crystal ActiveX Report Viewer Control 11.0) - http://time.xxxxxxxxxxx.com/Stromberg/eSup...tiveXViewer.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132958503750

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.xxxxxxxxxxx.net/viewer/acti...tivexviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxxxx.net

O17 - HKLM\Software\..\Telephony: DomainName = corporate.xxxxxxxxx.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxxxxx.net

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxxxx.net

O20 - Winlogon Notify: raalxdjx - C:\WINDOWS\

O20 - Winlogon Notify: urqrpno - C:\WINDOWS\

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

 

--

End of file - 3744 bytes

Edited by mmcd926

Share this post


Link to post
Share on other sites

Welcome back

 

There are no more pop ups. The computer seems to be running fine

:tup:

Tell me what your using for Antivirus and Firewall.

As I see it, the logs show none?

 

I can give you a list of free choices.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {8290F7B1-B996-49D7-A73C-C84EC0BED558} - (no file)

O2 - BHO: (no name) - {833AD0E3-51C9-40E1-A21F-2D033D0B7E4B} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {B552B8A4-76AC-4e8c-A469-C1585B111116} - (no file)

O2 - BHO: (no name) - {BA6C03C0-0FEA-46A5-8FFF-F102D871E5B8} - (no file)

O2 - BHO: (no name) - {FC3DDA79-D1D4-47e4-A38E-27C8C1FEAB5E} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O20 - Winlogon Notify: raalxdjx - C:\WINDOWS\

O20 - Winlogon Notify: urqrpno - C:\WINDOWS\

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold If found

 

C:\WINDOWS\system32\rnmiaabp.exe <=file

C:\WINDOWS\system32\rnm <=folder

 

If these files/folders are found and resist deletion drop into safe mode and try again

 

 

 

 

NEXT**

I'de like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

Please do a scan with Kaspersky Online Scanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

[*]The program will install and then begin downloading the latest definition files.

[*]After the files have been downloaded on the left side of the page in the Scan section select My Computer.

[*]This will start the program and scan your system.

[*]The scan will take a while, so be patient and let it run.

[*]Once the scan is complete, click on View scan report

To obtain the report:

Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

Kaspersky log

New HJT log taken after the above scans have run

 

Please give me an update on how the computer is at the moment.

Share this post


Link to post
Share on other sites

Tell me what your using for Antivirus and Firewall.

As I see it, the logs show none?

 

I usually use Spybot with the SD Helper and Teatimer turned on. If you have any better suggestions, I would appreciate it.

 

 

The computer seems to be running fine. No pop ups.

 

 

Here are the logs you requested:

 

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, July 3, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, July 03, 2008 17:13:27

Records in database: 910775

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

 

Scan statistics:

Files scanned: 28980

Threat name: 26

Infected objects: 47

Suspicious objects: 0

Duration of the scan: 01:11:17

 

 

File name / Threat name / Threats count

C:\Documents and Settings\Desktop\backups\backup-20080701-110028-573-source.html Infected: Trojan-Clicker.HTML.IFrame.dn 1

C:\Documents and Settings\Desktop\backups\backup-20080702-120510-227.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1

C:\Documents and Settings\Desktop\vnc-4_1_2-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\WindowsUpdate\vikixep.dll Infected: Trojan.Win32.BHO.ab 1

C:\Program Files\WindowsUpdate\vikixep12.dll Infected: Trojan.Win32.BHO.ab 1

C:\Program Files\WindowsUpdate\vikixep193.dll Infected: Trojan.Win32.BHO.ab 1

C:\Program Files\WindowsUpdate\vikixep546.dll Infected: Trojan.Win32.BHO.ab 1

C:\Program Files\WindowsUpdate\vikixep639.dll Infected: Trojan.Win32.BHO.ab 1

C:\QooBox\Quarantine\C\Documents and Settings\Application Data\SCURIT~1\winword.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.ez 1

C:\QooBox\Quarantine\C\Program Files\110921.exe.vir Infected: Trojan-Downloader.Win32.BHO.lm 1

C:\QooBox\Quarantine\C\Program Files\110968.exe.vir Infected: Trojan-Downloader.Win32.BHO.lm 1

C:\QooBox\Quarantine\C\Program Files\111046.exe.vir Infected: Trojan-Downloader.Win32.BHO.lm 1

C:\QooBox\Quarantine\C\Program Files\98609.exe.vir Infected: Trojan-Downloader.Win32.BHO.lm 1

C:\QooBox\Quarantine\C\Program Files\Common Files\ryxyf4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a 1

C:\QooBox\Quarantine\C\Program Files\Common Files\ryxyf83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a 1

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fg 1

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a 1

C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1

C:\QooBox\Quarantine\C\Program Files\spoolsv.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen 1

C:\QooBox\Quarantine\C\Program Files\Temporary\wininstall.exe.vir Infected: Trojan.Win32.Agent.crf 1

C:\QooBox\Quarantine\C\Program Files\WinAble\winable.exe.vir Infected: Trojan-Downloader.Win32.Adload.ni 1

C:\QooBox\Quarantine\C\WINDOWS\17PHolmes572.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjx 1

C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen 1

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.erf 1

C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen 1

C:\QooBox\Quarantine\C\WINDOWS\Q29ubmV4dGlvbnM\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1

C:\QooBox\Quarantine\C\WINDOWS\Q29ubmV4dGlvbnM\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1

C:\QooBox\Quarantine\C\WINDOWS\system32\c1\baslook11.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1

C:\QooBox\Quarantine\C\WINDOWS\system32\hggdeby.dll.vir Infected: Trojan.Win32.Obfuscated.lf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\j2\ppjup83122.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.a 1

C:\QooBox\Quarantine\C\WINDOWS\system32\khfedaw.dll.vir Infected: Trojan.Win32.Obfuscated.lf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\lelalpcr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps 1

C:\QooBox\Quarantine\C\WINDOWS\system32\lruxhnnv.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1

C:\QooBox\Quarantine\C\WINDOWS\system32\m8\nsts2dll1.exe.vir Infected: Trojan.Win32.Pakes.bvs 1

C:\QooBox\Quarantine\C\WINDOWS\system32\rozmchild.dll.vir Infected: Trojan-Spy.Win32.Banker.heh 1

C:\QooBox\Quarantine\C\WINDOWS\system32\rqrpqnn.dll.vir Infected: Trojan.Win32.Obfuscated.lf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\rxkkhgab.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id 1

C:\QooBox\Quarantine\C\WINDOWS\system32\urqrpno.dll.vir Infected: Trojan.Win32.Obfuscated.lf 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wrvre.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if 1

C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab 1

C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.a 1

C:\QooBox\Quarantine\catchme2008-07-01_112124.73.zip Infected: Trojan.Win32.Monder.gen 1

C:\QooBox\Quarantine\catchme2008-07-02_122902.20.zip Infected: not-a-virus:AdWare.Win32.SecToolBar.k 1

C:\RECYCLER\S-1-5-21-521411087-1323183334-1539857752-5223\Dc1.exe Infected: Trojan.Win32.Obfuscated.kp 1

C:\WINDOWS\system32\fmrgnumv.exe Infected: Trojan.Win32.Obfuscated.kp 1

C:\WINDOWS\system32\wwfewukb.dll Infected: Trojan.Win32.Monder.gen 1

 

The selected area was scanned.

 

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:16, on 2008-07-03

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\Desktop\HiJackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - Global Startup: DriveMap.bat

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (Crystal ActiveX Report Viewer Control 11.0) - http://time.xxxxxxxxx.com/Stromberg/eSuper...tiveXViewer.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132958503750

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.xxxxxxxxxx.net/viewer/activ...tivexviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxxxx.net

O17 - HKLM\Software\..\Telephony: DomainName = corporate.xxxxxxx.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.xxxxxxxxxxxx.net

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\product\10.1.0\Client_1\bin\omtsreco.exe

 

--

End of file - 3588 bytes

Share this post


Link to post
Share on other sites

Welcome back

I usually use Spybot with the SD Helper and Teatimer turned on. If you have any better suggestions, I would appreciate it.

SpyBot is not an antivirus program, it will search and scan for Spyware. It cannot protect you from infection again.

 

You need to download, install, and update an Antivirus program.

 

Avira

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/content/Se...rticles/64.html

 

Avast!

How to Install, Configure, and Use Avast Antivirus

Never install more than one antivirus scanner or firewall on your system

The computer seems to be running fine. No pop ups.

:tup:

 

 

Kapersky flags RealVNC-WinVNC.4 1 as Riskware these can be useful tools or could be used maliciously and that's why Kapersky flags them.

If you did not install or use this program please uninstall/remove.

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

 

File::

C:\Documents and Settings\Desktop\backups\backup-20080701-110028-573-source.html

C:\Documents and Settings\Desktop\backups\backup-20080702-120510-227.dll

C:\Program Files\WindowsUpdate\vikixep.dll

C:\Program Files\WindowsUpdate\vikixep12.dll

C:\Program Files\WindowsUpdate\vikixep193.dll

C:\Program Files\WindowsUpdate\vikixep546.dll

C:\Program Files\WindowsUpdate\vikixep639.dll

C:\RECYCLER\S-1-5-21-521411087-1323183334-1539857752-5223\Dc1.exe

C:\WINDOWS\system32\fmrgnumv.exe

C:\WINDOWS\system32\wwfewukb.dll

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

In your next reply post:

ComboFix.txt

New HJT log

 

Also please let me know what issues remain.

 

 

 

 

Glad we could help. :)

 

Since this issue appears resolved ... this Topic is closed.

Edited by Juliet

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×