Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] SecurityOnPage et al


  • This topic is locked This topic is locked
3 replies to this topic

#1 RickCo

RickCo

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 05 November 2007 - 02:18 PM

I have been getting the little Yellow Yield sign (with a "!" on it) on the systray and have tried both HiJackThis and ComboFix. Not sure I know enough about either one to resolve the issue, let alone make matterss worse.

Here are the logs, if somebody would have the time to take a look-see.

Thanks

ComboFix 07-11-05.1 - Owner 2007-11-05 13:47:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1090 [GMT -6:00]
Running from: C:\Program Files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\Downloaded Program Files\formcache
C:\WINDOWS\Downloaded Program Files\formcache\1.fca
C:\WINDOWS\Downloaded Program Files\formcache\10.fca
C:\WINDOWS\Downloaded Program Files\formcache\2.fca
C:\WINDOWS\Downloaded Program Files\formcache\3.fca
C:\WINDOWS\Downloaded Program Files\formcache\5.fca
C:\WINDOWS\Downloaded Program Files\formcache\6.fca
C:\WINDOWS\Downloaded Program Files\formcache\7.fca
C:\WINDOWS\Downloaded Program Files\formcache\8.fca
C:\WINDOWS\Downloaded Program Files\formcache\9.fca
C:\WINDOWS\Downloaded Program Files\formcache\index.fci
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\kqorbylc.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 13:46 1,532,578 --a------ C:\Program Files\ComboFix.exe
2007-11-05 13:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 13:07 <DIR> d-------- C:\Program Files\MSBuild
2007-11-05 13:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 13:01 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-05 13:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-05 13:00 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-05 12:59 <DIR> d-------- C:\Program Files\backups
2007-11-05 12:54 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-11-05 12:54 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-11-05 12:54 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-11-05 12:45 <DIR> d-------- C:\Program Files\Registry Medic 4
2007-11-05 12:11 <DIR> d-------- C:\WINDOWS\pss
2007-11-05 10:02 <DIR> d-------- C:\Program Files\CCleaner
2007-11-05 09:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-05 09:41 85,568 --a------ C:\WINDOWS\system32\gtvwevpq.dll
2007-11-05 09:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-05 09:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-05 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 09:17 <DIR> d-------- C:\Program Files\GoogleEarth
2007-11-05 09:17 <DIR> d-a------ C:\Program Files\Ad-Aware
2007-11-05 09:17 51,422,520 --a------ C:\Program Files\iTunesSetup-743-XP.exe
2007-11-05 09:17 21,822,168 --a------ C:\Program Files\AcrobatReader-v8.exe
2007-11-05 09:17 21,407,888 --a------ C:\Program Files\avg75free_467a1008.exe
2007-11-05 09:17 20,256,064 --a------ C:\Program Files\QuickTime-72.exe
2007-11-05 09:17 13,416,432 --a------ C:\Program Files\GoogleEarthWin-40.exe
2007-11-05 09:17 5,037,072 --a------ C:\Program Files\spybot-sd14.exe
2007-11-05 09:17 2,719,216 --a------ C:\Program Files\ccsetup140.exe
2007-11-05 09:17 1,706,289 --a------ C:\Program Files\Registry Medic.exe
2007-11-05 09:17 1,445,888 --a------ C:\Program Files\WinsockFix-XP.exe
2007-11-05 09:17 1,259,960 --a------ C:\Program Files\winzip80.exe
2007-11-05 09:17 1,000,792 --a------ C:\Program Files\Norton_Removal_Tool-9-6-07.exe
2007-11-05 09:17 259,072 --a------ C:\Program Files\cpuspeed.exe
2007-11-05 09:17 218,112 --a------ C:\Program Files\HijackThis.exe
2007-10-31 11:35 340,032 --a------ C:\WINDOWS\system32\kqorbylc.dll
2007-10-31 11:35 340,032 --a------ C:\WINDOWS\system32\kpawrjot.dll
2007-10-29 22:46 589 --a------ C:\WINDOWS\system32\wbuerfgj.dll
2007-10-29 22:43 413,587 --ahs---- C:\WINDOWS\system32\xbeeg.bak2
2007-10-29 17:49 414,280 --ahs---- C:\WINDOWS\system32\xbeeg.ini2
2007-10-29 10:43 6,465 --ahs---- C:\WINDOWS\system32\xbeeg.bak1
2007-10-29 10:37 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-29 10:37 <DIR> d-------- C:\Temp\mZOr
2007-10-29 10:37 294,668 --a------ C:\WINDOWS\frexup2.exe
2007-10-29 10:37 13,824 --a------ C:\WINDOWS\plite731.exe
2007-10-29 10:37 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-10 06:08 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 18:55 8,586 ----a-w C:\Program Files\hijackthis.log
2007-11-05 18:44 30,718 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-11-05 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 15:38 --------- d-----w C:\Program Files\WinFax
2007-11-05 15:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 15:28 --------- d-----w C:\Program Files\SBC Yahoo!
2007-11-05 15:27 --------- d-----w C:\Program Files\Yahoo!
2007-11-05 15:23 --------- d-----w C:\Program Files\Common Files\Scanner
2007-05-01 09:56 130 ----a-w C:\Program Files\HijackThis Logfileauswertung.url
2006-08-31 12:01 5,098,140 ----a-w C:\Program Files\Im My Own G'Pa.wmv
2005-06-09 22:11 73,800 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-31 11:35 340032 --a------ C:\WINDOWS\system32\kqorbylc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\kqorbylc.dll [2007-10-31 11:35 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 17:36]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-09-09 00:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-09-09 00:05]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 17:23]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 05:32]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 13:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 11:45]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-05 09:56]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"<NO NAME>"=C:\PROGRA~1\INTERN~1\iexplore.exe http://www.symantec....000028.000000D8

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kqorbylc]
kqorbylc.dll 2007-10-31 11:35 340032 C:\WINDOWS\system32\kqorbylc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WildTangent CDA"=RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus Photo RX500"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"

R3 smbusp;Intel® SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\smb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 12:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 13:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 13:53:10 - machine was rebooted
.
--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 1:59:45 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kqorbylc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kqorbylc.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB003" /M "Stylus CX4800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [] C:\PROGRA~1\INTERN~1\iexplore.exe http://www.symantec....000028.000000D8
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194288137078
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com...did/BoardID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kqorbylc - C:\WINDOWS\SYSTEM32\kqorbylc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Advertisements

Register to Remove


#2 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 06 November 2007 - 05:19 AM

Looking over your log, back Asap.

#3 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 06 November 2007 - 05:35 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hi RickCo

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Looks like you've got a Vundo infection that hasn't been totally cleaned up by Combofix.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Right Click inside the listbox (white box) and click add more files
  • Copy & Paste this entry into the top box.

    C:\WINDOWS\system32\kqorbylc.dll

  • Copy & Paste this entry into the 2nd box.

    C:\WINDOWS\system32\clybroqk.*

  • Click Add Files then click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Summary of the logs I need from you in your next post:
  • Vundofix log
  • Kaspersky log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.

#4 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 14 November 2007 - 02:12 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users