0

I seem to have a problem similar to many others. Symptoms include -
- fake Windows Security Center screen pops up often
- red background 'trojan found' download screen pops up often
- random pop ups in taskbar warning about malware, slow PC, etc
- Diabled Task Manager
- System seems to 'refresh' every minute or so
- Ad aware, Spybot and Spyware doctor repeatedly find & clean malware, but it returns
- Symantec unable to detect any problem (after I did the SDFix as suggested in other posts)
- Browsers are often not taking me to the expected site. There are some anti-malware sites which seem to be blocked, or am unable to open pages which mention this problem
- Before running SDFix, I could not even open Notepad because of 'Data Execution Prevention'

I've already run Symantec Antivirus, Ad aware, Spybot, Spyware Doctor and SDFix and the problem is not yet fixed (maybe some small symptoms are gone after running SDFix)

I've listed below the logs for SDFix and HijackThis. Can someone help plz!!

=====
SDFix
=====

SDFix: Version 1.183
Run by Administrator on Sun 05/18/2008 at 09:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\QdrPack\dictys.gz - Deleted
C:\Program Files\QdrPack\QdrPack16.exe - Deleted
C:\Program Files\QdrPack\trgtys.gz - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwdy.gz - Deleted
C:\Program Files\QdrModule\pckr.dat - Deleted
C:\Program Files\QdrModule\QdrModule16.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\hosts - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\system\del.exe - Deleted
C:\WINDOWS\system\delnew.exe - Deleted
C:\WINDOWS\system\run.exe - Deleted
C:\WINDOWS\system32\ctfmona.exe - Deleted
C:\WINDOWS\system32\drivers\hosts - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\scvhost.exe - Deleted


Could Not Remove C:\WINDOWS\default.htm

Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed
Folder C:\Temp\tmpvc14 - Removed
Folder C:\WINDOWS\system32\dFrnx06 - Removed


Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 22:03:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\c lb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\c lbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\c lbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdri ver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdri ver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Key s\001a6b89ac5f]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sy s"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.d ll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbca tex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbca tq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver. sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver. sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00 1a6b89ac5f]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sy s"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run04"
"control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50,11,e5,f5
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.com"
"flagged"=dword:00000001

scanning hidden files ...

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes executable
C:\WINDOWS\system32\dllcache\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\dllcache\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbdll.dll 31560 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes
C:\WINDOWS\explore.exe 9472 bytes
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
C:\WINDOWS\loader.exe 17152 bytes
C:\WINDOWS\x.exe 25344 bytes
C:\WINDOWS\y.exe 24576 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 18


Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Enabled:VNC Viewer Free Edition for Win32"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:VNC Server Free Edition for Win32"
"C:\\Program Files\\TurboNote\\tbnote.exe"="C:\\Program Files\\TurboNote\\tbnote.exe:*isabled:TurboNote+ v5.4"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\explorer32.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\internet.exe Found
C:\WINDOWS\loader.exe Found
C:\WINDOWS\svchost32.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 11 Jul 1995 1,024 A..H. --- "C:\WINDOWS\system32\msfxmod.dll"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00f932366044af6c9aa413d367f80bfa\ BITB.tmp"
Wed 5 Dec 2007 806,792 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\011291fb1e304665ed7f77a777f64bac\ BIT1F.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0b4a0aa515e3526be8be845f8fb14d68\ BIT31.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0da824503ca1c3e90b886dc1a7eedb62\ BIT1E.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\210e9658ba504a4e676fdc8293c28756\ BIT35.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2234e01389c67a5d72ffaae7ea7937ec\ BIT1D.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26b3a91c3830dc36c0d2ac9e21d4a70a\ BIT3C.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\27162e91fae06dff58ec979c0ad1508d\ BIT3D.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2be8e661c9ad564be1005715aa5505ed\ BIT34.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\300221ce00fef71aabf969a51f4725aa\ BIT42.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3120d46f31a1a28ab5d17e1807e09502\ BIT24.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3335d6d51c92347e2c58e8243920e8f0\ BIT38.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3364e85ddf9b36baf1e4fb1e036cd6fe\ BIT37.tmp"
Wed 5 Dec 2007 152,048 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3ebdd704a145dc82e5483ea404a98de4\ BIT33.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4d42ba506286ccfd27233b3f815ef0c5\ BIT49.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\525f70e65f50e7f7850ba3ead7b7a533\ BITD.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\599ad93299e815bb1996559f1946b465\ BIT39.tmp"
Wed 5 Dec 2007 584,944 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5a57d91f205dacba3a146472b2f4f3dd\ BIT45.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6ce5ee9c63cd859953b8027afcf332f5\ BIT32.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6cf924efca3e964cebbe365fca5d88fe\ BIT40.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6ff438948c479223526a765d8c9cd052\ BIT44.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\721f1f154762b811ccaa831e48765de8\ BIT3B.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8202a87a23ae78e642b952d4facfb1bf\ BIT43.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\95dae0a188fd8ac2449b8643e55140b4\ BIT23.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac0f37e8ea8f6e67e6c1034cf194ea69\ BIT29.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b033a081ef46294eda627005e68ea296\ BITAC.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0a4f9ee4ec66bd754f402ea3772aa73\ BITC.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc3ca06ca40f38d0b342d28e0dd729e5\ BIT3F.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c670f7cd52f1c20bd4d19794867e0be5\ BIT33.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c6ab7a8424130c6ef4783ac19cbd8bc2\ BIT2E.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c81d784e37337f64e60063350e730249\ BIT21.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d462653d3ca23af3881dbdf38ce3b162\ BIT2D.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8476e74c66d46e43dd5810b5f30533c\ BIT36.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\df283b90e549915deff7f0916f6633be\ BIT37.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e0fcc3773c784ec7401de40979ada1c3\ BIT3D.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc374765d0897b8bfa5c268d68761a62\ BITAA.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04d908a40d2a56f1839c94a50e50b3ce\ download\BITAB.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3d8779e21b73836b9d84010dfedbfa46\ download\BIT30.tmp"
Thu 6 Dec 2007 4,190 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40367b303fc641df920cf979184e6ffb\ download\BIT48.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6058b59e94ad2eacea6b4ae55e24f05f\ download\BIT1B.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\68b3c84985c6fb6c7d03e52c9d4f464f\ download\BIT2D.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\932bb2043baa98f3459c11ca75e519a9\ download\BIT20.tmp"
Thu 6 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b380a5c29d388b0ba6b51d43ad9ba2a0\ download\BIT36.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ba0dcc1bd89bbf45f0b2cf546a9684fd\ download\BIT3F.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f86ec1451c6e2cbb1c4fe73253a36e29\ download\BIT14.tmp"

Finished!


================
Log of Hijack This
================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:56 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\xwusuhzh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\byXPIxur.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1196978668281
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O17 - HKLM\Software\..\Telephony: DomainName = HCLT.CORP.HCL.IN
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECD3983B-2557-43E5-B3B8-1B423E068071}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O20 - Winlogon Notify: byXPIxur - C:\WINDOWS\SYSTEM32\byXPIxur.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 10144 bytes

3
Contributors
4
Replies
5
Views
9 Years
Discussion Span
Last Post by crunchie
0

Can you also do the following;

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Hi,

I apologize for the delayed response. The trojans were preventing me from downloading these files. Also, my browser was getting redirected to other sites...anyway, finally I managed to run these tools, and voila...everything seems to be running fine!

I ran MAM twice. The first time I ran it, I found and cleaned quite a few trojans. Then I ran my Symantec antivirus, Dr.Web Cureit and also Spybot. After that I ran MAM again and the problem 'seems' to be cured.

Here are the logs after the second run. Please advise if I need to do anything more. Thanks a lot!!


======
MAM log
======

Malwarebytes' Anti-Malware 1.12
Database version: 775
Scan type: Quick Scan
Objects scanned: 37060
Time elapsed: 5 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\byXPIxur.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxpixur (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\byXPIxur.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

=============
HiJack This log
=============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:46 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: {18213ef4-e4fe-8c28-4004-162b45c0e189} - {981e0c54-b261-4004-82c8-ef4e4fe31281} - C:\WINDOWS\system32\vywpvewr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1196978668281
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O17 - HKLM\Software\..\Telephony: DomainName = HCLT.CORP.HCL.IN
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECD3983B-2557-43E5-B3B8-1B423E068071}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HCLT.CORP.HCL.IN
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 7975 bytes

0

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: {18213ef4-e4fe-8c28-4004-162b45c0e189} - {981e0c54-b261-4004-82c8-ef4e4fe31281} - C:\WINDOWS\system32\vywpvewr.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\vywpvewr.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.