 |  |  |  |  |  |  |  |
Explorer.exe Reloading and crashing
 |
RE:Hi,
I'm having the same poblem My computer starts up, then my Explorer.exe flickers for awhile then just exits, without warning or messages. I ran HJT.exe and got
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:46:52 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Compaq_Owner\Desktop\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SystemApp - {163D9676-810E-11DC-8314-0800200C9A66} - C:\Program Files\SystemApp\ie-improver.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8488 bytes
I just recently started getting it, It was working brfor I left for school one morning, cam home and it started, I'm the only one with the PW for my computer, I did download something, but never installed it, infact I deleted it befor it even finished, It was just a addon for World Of Warcraft
I'm having the same poblem My computer starts up, then my Explorer.exe flickers for awhile then just exits, without warning or messages. I ran HJT.exe and got
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:46:52 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Compaq_Owner\Desktop\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SystemApp - {163D9676-810E-11DC-8314-0800200C9A66} - C:\Program Files\SystemApp\ie-improver.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8488 bytes
I just recently started getting it, It was working brfor I left for school one morning, cam home and it started, I'm the only one with the PW for my computer, I did download something, but never installed it, infact I deleted it befor it even finished, It was just a addon for World Of Warcraft
I can see you've tried to get rid of some trojan or other (Winser.exe) as they are listed file missing in the HJT list.
--------------------------------------------------------
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
---------------------------------------------------------
At least the above are identifiable baddies. if you know the date and approximate time that it could have happened, then you can hunt for clumps of silly named files around the same timeline. When you've fixed the timeline more precisely, you can search for any files created at the same time - they are suspect. Any EXE files in C:\ and get rid of them manually if necessary.
You should read the other SOLVED posts in this forum and use the method described in the thread, using tools such as ComboFix and others.
Some kind heart might take you through the steps - but if I were you I'd just get on with it in a methodical manner.
Each time you reboot, the trojan will load and likely spawn. Note the time of reboot so that you can spot the file size of spawned trojans so that you can be sure of what you are deleting as you work your way through your system.
Whichever method you choose for ridding yourself of the trojan, it's a long haul.
--------------------------------------------------------
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
---------------------------------------------------------
At least the above are identifiable baddies. if you know the date and approximate time that it could have happened, then you can hunt for clumps of silly named files around the same timeline. When you've fixed the timeline more precisely, you can search for any files created at the same time - they are suspect. Any EXE files in C:\ and get rid of them manually if necessary.
You should read the other SOLVED posts in this forum and use the method described in the thread, using tools such as ComboFix and others.
Some kind heart might take you through the steps - but if I were you I'd just get on with it in a methodical manner.
Each time you reboot, the trojan will load and likely spawn. Note the time of reboot so that you can spot the file size of spawned trojans so that you can be sure of what you are deleting as you work your way through your system.
Whichever method you choose for ridding yourself of the trojan, it's a long haul.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
Hi, Suspishio, thrum tagged onto another thread and I asked him to post anew; I already had made up my reply so I'm just going to paste it here - hope you don't mind..?
Beauty, thrum ... this saves a lot of confusion, and you don't want me confused, now do you?
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
=ComboFix:- [normal mode is fine] - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt, Combofix.txt plus a new HijackThis log.
Beauty, thrum ... this saves a lot of confusion, and you don't want me confused, now do you?
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
=ComboFix:- [normal mode is fine] - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt, Combofix.txt plus a new HijackThis log.
Deep, deep in the woods, but walking about.
@ Gerbil
I'm grateful you stepped in/continued.
I feel sorry for people with zero replies and I like to point them to the method I employ (which I wish would be stickied - 2nd Sep 07) and which I'm fully qualified to speak to.
So if none of you Vundo pros reply, I help out by identifying the baddies and giving them a hybrid of my method combined with ComboFix. I think I've got one cured that way out of three; not good enough for my taste.
Anyway, back to you for now and sticky my post!
I'm grateful you stepped in/continued.
I feel sorry for people with zero replies and I like to point them to the method I employ (which I wish would be stickied - 2nd Sep 07) and which I'm fully qualified to speak to.
So if none of you Vundo pros reply, I help out by identifying the baddies and giving them a hybrid of my method combined with ComboFix. I think I've got one cured that way out of three; not good enough for my taste.
Anyway, back to you for now and sticky my post!
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
Thank you, "Gerbil"!
Combofix.exe has fixed my problem!
the other program diden't seem to work for me, I rebotted and started in safe mode, but nothing...
here is the log for Combofix.exe
ComboFix 07-11-01.1 - Compaq_Owner 2007-11-02 17:31:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\SystemApp
C:\Program Files\SystemApp\bho.dat
C:\Program Files\SystemApp\er.dat
C:\Program Files\SystemApp\ie-improver.dll
C:\Program Files\SystemApp\uninstall.exe
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\sysdl132.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.
2007-11-02 17:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 10:43 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\fretsonfire
2007-10-28 10:42 <DIR> d-------- C:\Program Files\Frets on Fire
2007-10-23 19:54 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-23 19:54 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-23 19:54 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-23 19:54 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-23 19:54 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-10-23 19:54 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-10-23 19:54 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-23 19:54 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-10-23 19:54 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-23 19:44 252,032 --a------ C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-23 19:44 161,568 --a------ C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-23 19:44 150,144 --a------ C:\WINDOWS\system32\dllcache\sis6306v.dll
2007-10-23 19:44 101,760 --a------ C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-23 19:44 68,608 --a------ C:\WINDOWS\system32\dllcache\sis6306p.sys
2007-10-23 19:44 41,088 --a------ C:\WINDOWS\system32\dllcache\sisagp.sys
2007-10-23 19:44 3,901 --a------ C:\WINDOWS\system32\dllcache\siint5.dll
2007-10-23 19:30 27,136 --a------ C:\WINDOWS\system32\dllcache\irmon.dll
2007-10-23 19:30 26,624 --a------ C:\WINDOWS\system32\dllcache\irstusb.sys
2007-10-23 19:30 23,552 --a------ C:\WINDOWS\system32\dllcache\irmk7.sys
2007-10-23 19:30 18,688 --a------ C:\WINDOWS\system32\dllcache\irsir.sys
2007-10-23 19:30 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-23 19:30 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-23 15:06 33,792 --a------ C:\WINDOWS\system32\yayxyab.dll
2007-10-18 21:07 <DIR> d-------- C:\Program Files\World of Warcraft (2.2.3)
2007-10-10 15:07 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-08 19:57 <DIR> d-------- C:\Program Files\Mumble
2007-10-03 15:49 <DIR> d-------- C:\wamp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 23:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IGN_DLM
2007-10-30 21:53 --------- d-----w C:\Program Files\Common Files\Command Software
2007-10-30 21:52 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-10-23 01:00 --------- d-----w C:\Program Files\Steam
2007-10-21 07:02 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hamachi
2007-10-20 07:21 --------- d-----w C:\Program Files\World of Warcraft (2.2.2)
2007-10-19 05:04 --------- d-----w C:\Program Files\SQLyog Community
2007-10-10 22:06 --------- d-----w C:\Program Files\directx
2007-10-08 22:46 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-10-06 04:29 38 ----a-w C:\Program Files\realmlist.wtf
2007-10-01 13:18 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Turbine
2007-10-01 13:16 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\GetRightToGo
2007-10-01 04:34 --------- d-----w C:\Program Files\EA GAMES
2007-09-24 17:11 --------- d-----w C:\Documents and Settings\Mom\Application Data\Skype
2007-09-19 05:33 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-09-18 22:53 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2007-09-18 05:51 --------- d-s---w C:\Program Files\Xfire
2007-09-10 00:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-10 00:57 22,328 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\PnkBstrK.sys
2007-09-08 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-03 05:06 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-03 04:36 --------- d-----w C:\Program Files\Hamachi
2007-05-25 02:25 1,674 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 14:48 242 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat
2005-07-15 03:50:10 10,240 -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
2005-09-16 20:50:30 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-23 15:06 33792 --a------ C:\WINDOWS\system32\yayxyab.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 17:48]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 15:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
C:\Documents and Settings\Mom\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\yayxyab.dll [2007-10-23 15:06 33792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyab]
yayxyab.dll 2007-10-23 15:06 33792 C:\WINDOWS\system32\yayxyab.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"RichVideo"=2 (0x2)
"iPodService"=3 (0x3)
S2 Win PPPe;Win PPPe;C:\WINDOWS\system32\winser.exe
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 09:57:02 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 17:55:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-02 17:59:29 - machine was rebooted
.
--- E O F ---
I'm sorry "Suspishio" but I did not really understand how you were telling me to fix it, I kept reading it over and over but diden't quite understand. Thank you for trying to help me though!
Combofix.exe has fixed my problem!
the other program diden't seem to work for me, I rebotted and started in safe mode, but nothing...
here is the log for Combofix.exe
ComboFix 07-11-01.1 - Compaq_Owner 2007-11-02 17:31:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\SystemApp
C:\Program Files\SystemApp\bho.dat
C:\Program Files\SystemApp\er.dat
C:\Program Files\SystemApp\ie-improver.dll
C:\Program Files\SystemApp\uninstall.exe
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\sysdl132.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.
2007-11-02 17:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 10:43 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\fretsonfire
2007-10-28 10:42 <DIR> d-------- C:\Program Files\Frets on Fire
2007-10-23 19:54 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-23 19:54 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-23 19:54 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-23 19:54 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-23 19:54 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-10-23 19:54 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-10-23 19:54 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-23 19:54 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-10-23 19:54 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-23 19:44 252,032 --a------ C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-23 19:44 161,568 --a------ C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-23 19:44 150,144 --a------ C:\WINDOWS\system32\dllcache\sis6306v.dll
2007-10-23 19:44 101,760 --a------ C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-23 19:44 68,608 --a------ C:\WINDOWS\system32\dllcache\sis6306p.sys
2007-10-23 19:44 41,088 --a------ C:\WINDOWS\system32\dllcache\sisagp.sys
2007-10-23 19:44 3,901 --a------ C:\WINDOWS\system32\dllcache\siint5.dll
2007-10-23 19:30 27,136 --a------ C:\WINDOWS\system32\dllcache\irmon.dll
2007-10-23 19:30 26,624 --a------ C:\WINDOWS\system32\dllcache\irstusb.sys
2007-10-23 19:30 23,552 --a------ C:\WINDOWS\system32\dllcache\irmk7.sys
2007-10-23 19:30 18,688 --a------ C:\WINDOWS\system32\dllcache\irsir.sys
2007-10-23 19:30 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-23 19:30 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-23 19:30 5,632 --a------ C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-23 15:06 33,792 --a------ C:\WINDOWS\system32\yayxyab.dll
2007-10-18 21:07 <DIR> d-------- C:\Program Files\World of Warcraft (2.2.3)
2007-10-10 15:07 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-10-08 19:57 <DIR> d-------- C:\Program Files\Mumble
2007-10-03 15:49 <DIR> d-------- C:\wamp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 23:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IGN_DLM
2007-10-30 21:53 --------- d-----w C:\Program Files\Common Files\Command Software
2007-10-30 21:52 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-10-23 01:00 --------- d-----w C:\Program Files\Steam
2007-10-21 07:02 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hamachi
2007-10-20 07:21 --------- d-----w C:\Program Files\World of Warcraft (2.2.2)
2007-10-19 05:04 --------- d-----w C:\Program Files\SQLyog Community
2007-10-10 22:06 --------- d-----w C:\Program Files\directx
2007-10-08 22:46 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-10-06 04:29 38 ----a-w C:\Program Files\realmlist.wtf
2007-10-01 13:18 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Turbine
2007-10-01 13:16 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\GetRightToGo
2007-10-01 04:34 --------- d-----w C:\Program Files\EA GAMES
2007-09-24 17:11 --------- d-----w C:\Documents and Settings\Mom\Application Data\Skype
2007-09-19 05:33 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-09-18 22:53 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2007-09-18 05:51 --------- d-s---w C:\Program Files\Xfire
2007-09-10 00:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-10 00:57 22,328 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\PnkBstrK.sys
2007-09-08 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-03 05:06 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-03 04:36 --------- d-----w C:\Program Files\Hamachi
2007-05-25 02:25 1,674 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 14:48 242 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat
2005-07-15 03:50:10 10,240 -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
2005-09-16 20:50:30 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-23 15:06 33792 --a------ C:\WINDOWS\system32\yayxyab.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 17:48]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 15:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
C:\Documents and Settings\Mom\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\yayxyab.dll [2007-10-23 15:06 33792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyab]
yayxyab.dll 2007-10-23 15:06 33792 C:\WINDOWS\system32\yayxyab.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"RichVideo"=2 (0x2)
"iPodService"=3 (0x3)
S2 Win PPPe;Win PPPe;C:\WINDOWS\system32\winser.exe
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 09:57:02 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 17:55:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-02 17:59:29 - machine was rebooted
.
--- E O F ---
I'm sorry "Suspishio" but I did not really understand how you were telling me to fix it, I kept reading it over and over but diden't quite understand. Thank you for trying to help me though!
Sadly....it's not solved, it doing the same thing again, it was fine for about an hour, then just... yeah.
I was only on MSN to send an e-mail and talk to a few people then it started up as I closed MSN.
I was only on MSN to send an e-mail and talk to a few people then it started up as I closed MSN.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
I can see a vundo file ramaining in the combofix log. I know vundofix can remove it - perhaps you should dl a fresh copy and try again. We cannnot just delete it because it would have files waiting to recreate it, and those do not show themselves.
Deep, deep in the woods, but walking about.
Alrighty, i got it to run, but not fix the problem.
VundoFix V6.5.11
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 9:58:17 PM 11/2/2007
Listing files found while scanning....
C:\windows\system32\yayxyab.dll
Beginning removal...
Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 10:05:41 PM 11/2/2007
Listing files found while scanning....
C:\windows\system32\yayxyab.dll
Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Has been deleted!
Performing Repairs to the registry.
Done!
________________________________________
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:12:57 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Compaq_Owner\Desktop\backups\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8228 bytes
VundoFix V6.5.11
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 9:58:17 PM 11/2/2007
Listing files found while scanning....
C:\windows\system32\yayxyab.dll
Beginning removal...
Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 10:05:41 PM 11/2/2007
Listing files found while scanning....
C:\windows\system32\yayxyab.dll
Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Has been deleted!
Performing Repairs to the registry.
Done!
________________________________________
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:12:57 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Compaq_Owner\Desktop\backups\imabunny.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8228 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Another vundo popped up:
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
thrum, let's clean up your log entries first; start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Good. Now to remove this service:
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Okay. Note that I have modified the Vundofix run instructions. Please delete C:\Vundofix.txt:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window this pathname:
C:\WINDOWS\system32\geebc.dll
Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= -
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________
Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
So. Post vundofix, combofix and a fresh hijackthis log [normal mode].
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Good. Now to remove this service:
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Okay. Note that I have modified the Vundofix run instructions. Please delete C:\Vundofix.txt:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window this pathname:
C:\WINDOWS\system32\geebc.dll
Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= -
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________
Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
So. Post vundofix, combofix and a fresh hijackthis log [normal mode].
Deep, deep in the woods, but walking about.
|
Similar Threads
- explorer.exe keeps crashing and restarting (Viruses, Spyware and other Nasties)
- Erratic CPU usage and explorer.exe error (Windows NT / 2000 / XP)
- My Videos folder crashing explorer.exe (Windows NT / 2000 / XP)
- Help-can't boot up "explorer.exe has generated errors..." (Windows NT / 2000 / XP)
- Explorer.Exe problem (Windows NT / 2000 / XP)
- explorer.exe is frozen (Windows NT / 2000 / XP)
- kkehler: Tried everything: Page fault with Explorer.exe (Viruses, Spyware and other Nasties)
- Explorer.exe at shutdown (Windows NT / 2000 / XP)
- Explorer.exe terminting at will (Windows 95 / 98 / Me)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Hidden program installs .dlls with randomly generated names in random "notify" reg.
- Next Thread: Your computer is infected! malware
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos domains education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
