Solve : Trojan?? – InterviewSolution

InterviewSolution

1.	Solve : Trojan??
Answer» Hello I have McAfee total protection (supposedly!) & spybot installed on my sons laptop. I noticed that he was getting alot of pop ups even with pop up blockers ENABLED, specifically a poker one & also a spyware detected (winantispy.com) type which McAfee site advisor detects as red. Also, the settings in the internet options keep on automatically changing themselves to accept all cookies. And now, staring today, I can't open most applications like Spybot (nothing happens when I double click). On startup, McAfee detects & removes a Trojan found in C:\Documents and settings\My Name\Local Settings\Temp\snfjvkte.exe. (I don't seem to be able to locate the folder named Local Settings either) McAfee describes it as generic.dx Trojan (if this helps?). If I restart the computer, I am quickly able to start spybot but during the scan it terminates itself. Please can someone advise?The Local Settings folder is hidden by default, you have to go to Tools > Folder Options > View and select Show hidden files and folders. Obviously whatever malware that is running in the background is killing Spybot, you can manually download the newest detection updates (spybot_includes.exe) and apply them manually since you can't do it from within the application itself. Also update McAfee and then boot into safe mode (Hit F8 during startup). Do a full McAfee scan and Spybot scan while in safe mode and remove anything nasty they find. I also recommend that you download HiJackThis, do a scan and then post the log file here. That way myself or someone else can check to make SURE you're clean. Good luck, JPH HijackThis: http://www.spywareinfo.com/~merijn/programs.php Spybot Detection Updates: http://www.safer-networking.org/en/download/Wow, that's some brilliant advice! I'll get back to you... thanks!Ok, so I updated then tried booting in safe mode, but now I have another problem... In safe mode I can see my desktop for around 5 seconds, then it dissapears into blackness & I get the 'windows is running in safe mode' box asking me to select yes/no (no being a restore) I select yes to go into safe mode which returns me to my desktop, but the thing keeps popping back up, interrupting whatever I try to do! it happened about 10 times & in the end I just left it, the box closed itself & now all I have is a BLACK screen with safe mode in the 4 corners & the Microsoft jargan at the top... This isn't normal is it?I managed to perform a spybot scan in safe mode which found 33 items, but everytime I tried to open McAfee the safe mode pop up interrupted it. I rebooted after the spybot findings but nothing has changed. I got 2 Trojan removal messages from McAfee & also my cookies security level was set to accept everything again. I set my privacy to default & a few minutes later got the McAfee pop up saying that a change in the registry has been detected - obviously the little censored that's trying to change my cookie settings again. I also cannot run spybot - but I did do a Hijackthis scan:Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\SiteAdvisor\6172\SAService.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINDOWS\system32\mqtgsvc.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Louis\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66006 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [JOYTECH USB Neo S Controller] C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmlpwcpj.dll",sitypnow O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, INC. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe Run another HJT scan and put a check next to the following entry: O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmlpwcpj.dll",sitypnow Click the "Fix checked" button Now click on Config > Misc Tools > Delete a file on reboot and browse to the following file: C:\WINDOWS\system32\hmlpwcpj.dll Reboot and see if the problem persists. * note - system restore might actually be RESTORING malware and that might be what McAfee keeps detecting. You should turn off system restore until you're clean. Please post another HJT log file but this time before you do rename HijackThis.exe to something else, some malware will hide itself from the HijackThis.exe process. - JPHThanks for all your help so far JPH, I really appreciate this... Ok, I did what you said, only when I selected Delete a file on reboot HJT just closed. It only allowed me access that tool after renaming HJT but then I couldn't locate the file hmlpwcpj.dll (in fact, there were no files shown in the system folder) so I entered the path manually instead. I rebooted & same thing... privacy settings changed & 2 Trojan alerts, but I can now open Spybot (which is functioning abnormally). The 2 Trojan McAfee detections: C:\Documents and Settings\Louis\Temporary Internet Files\Content.IE5\B6F5ZZ6W\valera[1] C:\Documents and Settings\Louis\Local Settings\Temp\aguspaju.exe The HJT scan log:Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\SiteAdvisor\6172\SAService.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\McAfee\MPS\mpsevh.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\program files\mcafee\msc\mcshell.exe C:\PROGRA~1\McAfee\MSC\McLgView.exe C:\Documents and Settings\All Users\Start Menu\Programs\Security\bacon.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66006 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66006 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\Spybot\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\flmlrjob.dll O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [JOYTECH USB Neo S Controller] C:\Program Files\JoyTech\JoytechNeoSTrayIcon.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rpjqyixy.dll",sitypnow O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exeDownload VundoFix from here: http://vundofix.atribune.org Do a scan with it and remove any Vundo infections it finds. Then grab the C:\VundoFix.txt file and post it here. - JPH## part 1 ## VundoFix V6.5.9 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 04:28:56 07/10/2007 Listing files found while scanning.... C:\windows\system32\cbadd.bak1 C:\WINDOWS\system32\cbadd.bak2 C:\WINDOWS\system32\cbadd.ini C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.tmp C:\windows\system32\ceqylnuv.dll C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\flmlrjob.dll C:\windows\system32\knarwknb.dll C:\WINDOWS\system32\mduqlynv.dll C:\WINDOWS\system32\rpjqyixy.dll C:\windows\system32\xnamrhux.ini C:\windows\system32\xuhrmanx.dll C:\WINDOWS\system32\yaywtqr.dll Beginning removal... Attempting to delete C:\windows\system32\cbadd.bak1 C:\windows\system32\cbadd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.bak2 C:\WINDOWS\system32\cbadd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.ini C:\WINDOWS\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.tmp C:\WINDOWS\system32\cbadd.tmp Has been deleted! Attempting to delete C:\windows\system32\ceqylnuv.dll C:\windows\system32\ceqylnuv.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted Attempting to delete C:\WINDOWS\system32\flmlrjob.dll C:\WINDOWS\system32\flmlrjob.dll Could not be deleted. Attempting to delete C:\windows\system32\knarwknb.dll C:\windows\system32\knarwknb.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\mduqlynv.dll C:\WINDOWS\system32\mduqlynv.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rpjqyixy.dll C:\WINDOWS\system32\rpjqyixy.dll Could not be deleted. Attempting to delete C:\windows\system32\xnamrhux.ini C:\windows\system32\xnamrhux.ini Has been deleted! Attempting to delete C:\windows\system32\xuhrmanx.dll C:\windows\system32\xuhrmanx.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\flmlrjob.dll C:\WINDOWS\system32\flmlrjob.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\rpjqyixy.dll C:\WINDOWS\system32\rpjqyixy.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done!## part 2 ## Listing files found while scanning.... C:\windows\system32\cbadd.ini C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\yaywtqr.dll Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Could not be deleted. Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... VundoFix V6.5.9 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 04:47:57 07/10/2007 Listing files found while scanning.... C:\windows\system32\cbadd.ini C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.tmp C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\yaywtqr.dll Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.tmp C:\WINDOWS\system32\cbadd.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\cbadd.ini2 C:\WINDOWS\system32\cbadd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! VundoFix V6.5.9 Checking Java version... Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 04:54:23 07/10/2007 Listing files found while scanning.... C:\windows\system32\cbadd.ini C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\yaywtqr.dll Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\cbadd.ini C:\windows\system32\cbadd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\ddabc.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yaywtqr.dll C:\WINDOWS\system32\yaywtqr.dll Could not be deleted. Performing Repairs to the registry. Done!Great, progress.... Try and see if you can boot into safe mode now and delete the last two files... C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\yaywtqr.dll Before you do though run HJT again and make sure the following entries are gone, if not select them and "Fix Checked" O2 - BHO: (no name) - {1A4CD7C1-E016-4ABD-AE93-0664921557A1} - C:\WINDOWS\system32\ddabc.dll O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\flmlrjob.dll O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\yaywtqr.dll O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rpjqyixy.dll",sitypnow O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll O20 - Winlogon Notify: yaywtqr - C:\WINDOWS\SYSTEM32\yaywtqr.dll - JPH

Discussion

No Comment Found

Related InterviewSolutions