Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

virtumonde + htepo.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 indymhr

indymhr

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 14 November 2007 - 10:03 AM

Hi
I have a problem very similar to the one posted by agcsc on Nov 1- my computer started out being infected with what Mcaffee called "adclicker-fk" - it causes popup windows with various topics, some inappropriate. They arent necessarily ads - but they are nuisances. I cleaned my computer and for about a week it seemed ok - but then the problems returned with a vengeance.

Two short-cuts appeared on my desk-top labeled: "ONLINE SECURITY GUIDE" and "LIFE SAFETY CENTER." I have deleted them a couple of times but they continue to return. Both show their target as "htepo.com."

I get numerous balloon warnings saying my computer is infected with various trojans, worms or viruses and I often get a text box to go along with the balloon warnings.

I have run vundofix a number of times, there is one dll, byxyyaa.dll that cannot be cleaned. When I ran vundofix - the balloons went away, but the next morning, they were back - I ran vundofix - it found one additional dll that it cleaned and the same byxyyaa.dll that could not be cleaned. This again got rid of the balloons, but I expect them to be back tomorrow morning.

I am including hijack this logs and vundofix logs :

Thanks for any help you can offer


VundoFix V6.5.11

Checking Java version...

Scan started at 09:57:15 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\kxuuvxas.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\dalpbcfg.dll
C:\WINDOWS\system32\dalpbcfg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kxuuvxas.dll
C:\WINDOWS\system32\kxuuvxas.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 17:57:31 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll

VundoFix V6.5.11

Checking Java version...

Scan started at 18:10:58 2007-11-13

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 10:12:36 2007-11-14

Listing files found while scanning....

C:\windows\system32\byxyyaa.dll
C:\WINDOWS\system32\cjowaxgi.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cjowaxgi.dll
C:\WINDOWS\system32\cjowaxgi.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyyaa.dll
C:\windows\system32\byxyyaa.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cjowaxgi.dll
C:\WINDOWS\system32\cjowaxgi.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\OracleGM\bin\dbsnmp.exe
D:\OracleGM\bin\vppdc.exe
D:\OracleGM\BIN\TNSLSNR.exe
d:\oraclegm\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\indlabfs24\Desktop\My Files\My files\hijackthis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\byxyyaa.dll
O2 - BHO: (no name) - {F96307A5-3FD9-4CE4-AB8C-25E07B083B73} - C:\WINDOWS\system32\mljjk.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a42df633] rundll32.exe "C:\WINDOWS\system32\rvrsqwdf.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.in.gov
O15 - Trusted Zone: http://*.in.gov (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isp.state.in.us
O17 - HKLM\Software\..\Telephony: DomainName = isp.state.in.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isp.state.in.us
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bbsikewc.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleIFAAgent - Oracle Corporation - D:\OracleGM\bin\dbsnmp.exe
O23 - Service: OracleIFAClientCache - Unknown owner - D:\OracleGM\BIN\ONRSD.EXE
O23 - Service: OracleIFACMAdmin - Unknown owner - D:\OracleGM\BIN\CMADMIN.EXE
O23 - Service: OracleIFACMan - Unknown owner - D:\OracleGM\BIN\CMGW.EXE
O23 - Service: OracleIFADataGatherer - Oracle Corporation - D:\OracleGM\bin\vppdc.exe
O23 - Service: OracleIFATNSListener - Unknown owner - D:\OracleGM\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIFA - Oracle Corporation - d:\oraclegm\bin\ORACLE.EXE
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7815 bytes

    Advertisements

Register to Remove


#2 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 22 November 2007 - 01:37 PM

Hi, and Welcome to WhatTheTech :)

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.


Sorry about the delay in responding :(

If you still need help:

Show all hidden files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Please do not delete anything unless instructed to.

Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you :)

Also please describe how your computer behaves at the moment.


jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 25 November 2007 - 03:07 PM

Resolved at BleepingComputer.com. Please don't post for malware help when you are already receiving help elsewhere.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users