I have a problem very similar to the one posted by agcsc on Nov 1- my computer started out being infected with what Mcaffee called "adclicker-fk" - it causes popup windows with various topics, some inappropriate. They arent necessarily ads - but they are nuisances. I cleaned my computer and for about a week it seemed ok - but then the problems returned with a vengeance.
Two short-cuts appeared on my desk-top labeled: "ONLINE SECURITY GUIDE" and "LIFE SAFETY CENTER." I have deleted them a couple of times but they continue to return. Both show their target as "htepo.com."
I get numerous balloon warnings saying my computer is infected with various trojans, worms or viruses and I often get a text box to go along with the balloon warnings.
I have run vundofix a number of times, there is one dll, byxyyaa.dll that cannot be cleaned. When I ran vundofix - the balloons went away, but the next morning, they were back - I ran vundofix - it found one additional dll that it cleaned and the same byxyyaa.dll that could not be cleaned. This again got rid of the balloons, but I expect them to be back tomorrow morning.
I am including hijack this logs and vundofix logs :
Thanks for any help you can offer
VundoFix V6.5.11
Checking Java version...
Scan started at 09:57:15 2007-11-13
Listing files found while scanning....
C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\kxuuvxas.dll
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\dalpbcfg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 17:57:31 2007-11-13
Listing files found while scanning....
C:\windows\system32\byxyyaa.dll
VundoFix V6.5.11
Checking Java version...
Scan started at 18:10:58 2007-11-13
Listing files found while scanning....
C:\windows\system32\byxyyaa.dll
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 10:12:36 2007-11-14
Listing files found while scanning....
C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\cjowaxgi.dll
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cjowaxgi.dll
C:\WINDOWS\system32\cjowaxgi.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cjowaxgi.dll
C:\WINDOWS\system32\cjowaxgi.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O2 - BHO: (no name) - {F96307A5-3FD9-4CE4-AB8C-25E07B083B73} - C:\WINDOWS\system32\mljjk.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\rvrsqwdf.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 7815 bytes