Possible Malware and Adware problem need solution

Question

Hi...i am having a INSPIRONE1505 laptop. It was working absolutely fine without any problem but now from last 4-5 days all of a sudden its loading very slow at the startup takes much time to boot up and show runDLL error message "Error Loading C:\WINDOWS\system32\rtahihuk.dll The specified module could not be found." Also when i starts using internet explorer for browsing many add starts popping up and suddenly the system freezes out.

I am using Zonealarm security suite for overall protection but the problem still not getting solved also tried to scan with AVG adware scanner, These two adware scanner finds some adware trojans, deletes it but the problem is still there...

Again at the same time my battery also shows only 1 hour when 100% charged and discharges immediately within 50 minutes. request u to send me some solutions.

Hereby i am sending the hijack this log for your review.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:50 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\system32\rtahihuk.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7907 bytes

Message Edited by pravesh125 on 09-06-2007 09:16 AM

bamajim · Answer

pravesh125

1. Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

pravesh125 · Answer

Hi, thanks a lot for quick response on this.......
i run fixit on my system and rebooted as instructed by you.....but i think still its not fixed yet...cause it has again taken more time to reboot and i got the same runDLL error message "Error Loading C:\WINDOWS\system32\rtahihuk.dll The specified module could not be found."

Please find the a fresh HijackThis log and a fixwareout report as given below.....

HijackThis LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:50 PM, on 07/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\system32\rtahihuk.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 8134 bytes

and the Fixwareout report

Username "user" - 07/09/2007 22:37:31 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"SigmatelSysTrayApp"="stsystra.exe"
"vmware-tray"="C:\\Program Files\\VMware\\VMware Workstation\\vmware-tray.exe"
"VMware hqtray"="\"C:\\Program Files\\VMware\\VMware Workstation\\hqtray.exe\""
"SystemRestoreStatus"="rundll32.exe \"C:\\WINDOWS\\system32\\rtahihuk.dll\",sitypnow"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDXGhost"="C:\\Program Files\\DVD Ghost\\DVDGhost.EXE"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_9 -reboot 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

bamajim · Answer

pravesh125

Yes we still ahve a little work to do before we are finished.

1. Rerun Hijackthis (scan only) and place checks beside the following entries

O4 - HKLM\..\Run: [SystemRestoreStatus] rundll32.exe "C:\WINDOWS\system32\rtahihuk.dll",sitypnow
O17 - HKLM\System\CCS\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{00F50F14-1715-484B-87A8-EEFF4D47AE8B}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5

Close all other open windows except Hijackhtis and Select " Fix checked"

Close Hijackthis

2. Now lets check some settings on your system.

(2000/XP) Only

In the windows control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter

3. Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

pravesh125 · Answer

Hi,

I ve done the changes as per your instructions....now i am not getting the run DLL error but i am still not able to get rid of advt. poppping up every now and then...and again internet explorer suddenly gives some error messages and the whole system freezes up...sometimes i need to hardboot the system or sometime i need to close it directly without saving the work from task manager. Kindly suggest some solution..

Please find the latest HijackThis log....

=====================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:42 PM, on 09/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7054 bytes

bamajim · Answer

pravesh125

We are getting there.

1. Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

pravesh125 · Answer

Hi Please find the attached ComboFix log as below.   ComboFix 07-09-10.6 - 'user' 2007-09-10 18:06:33.1 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.418 [GMT 1:00]  * Created a new restore point . (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\user\APPLIC~1\macromedia\Flash Player\#SharedObjects\3A9J4X7U\iforex.com C:\DOCUME~1\user\APPLIC~1\macromedia\Flash Player\#SharedObjects\3A9J4X7U\iforex.com\Emerp\Events\flash_object.swf\user_data.sol C:\DOCUME~1\user\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\DOCUME~1\user\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol C:\WINDOWS\cookies.ini C:\WINDOWS\system32\bqfrcbxf.dll C:\WINDOWS\system32\brvowwef.dll C:\WINDOWS\system32\fmquvktp.dll C:\WINDOWS\system32\giadgjiw.dll C:\WINDOWS\system32\gpxmsydx.dll C:\WINDOWS\system32\kjgwddsq.dll C:\WINDOWS\system32\kkvlrljp.dll C:\WINDOWS\system32\pjlrlvkk.ini C:\WINDOWS\system32\xdysmxpg.ini C:\WINDOWS\system32\ycdhxpla.dll (((((((((((((((((((((((((   Files Created from 2007-08-10 to 2007-09-10  ))))))))))))))))))))))))))))))) . 2007-09-10 18:04 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-09 11:39 230,432 --a------ C:\PA7311.DAT 2007-09-09 11:34 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2007-09-09 11:34 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-09-09 11:34 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe 2007-09-09 11:18   d-------- C:\WINDOWS\Pixart 2007-09-09 11:18   d-------- C:\Program Files\PC VGA Camera 2007-09-09 11:18   d-------- C:\Program Files\Common Files\PCCamera 2007-09-06 23:18   d-------- C:\Program Files\MegauploadToolbar 2007-09-06 23:18   d-------- C:\DOCUME~1\user\APPLIC~1\MegauploadToolbar 2007-09-06 15:08   d-------- C:\Program Files\Trend Micro 2007-09-06 14:44 0 --a------ C:\WINDOWS
sreg.dat 2007-09-05 23:34 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-05 17:27   d-------- C:\Program Files\Lavasoft 2007-09-05 17:27   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-09-04 21:04 512 --a------ C:\ScanSectorLog.dat 2007-09-04 16:25 5,365,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-04 16:25 148,512 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-04 16:24   d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier 2007-09-04 16:17 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll 2007-09-04 14:20 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-04 14:15   d-------- C:\WINDOWS\Internet Logs 2007-09-04 09:16 1,581,027 ---hs---- C:\WINDOWS\system32qtss.bak2 2007-09-03 20:27 6,456 --ahs---- C:\WINDOWS\system32qtss.bak1 2007-09-03 20:27 297,568 --------- C:\WINDOWS\system32\sstqr.dll 2007-09-03 20:19 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll 2007-09-03 20:19 437,040 --a------ C:\WINDOWS\system32\vnetlib.dll 2007-09-03 20:19 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys 2007-09-03 20:19 25,264 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys 2007-09-03 20:19 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys 2007-09-03 20:19 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys 2007-09-03 20:19 150,320 --a------ C:\WINDOWS\system32\vmnat.exe 2007-09-03 20:19 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll 2007-09-03 20:19 121,648 --a------ C:\WINDOWS\system32\vmnetdhcp.exe 2007-09-03 20:18 21,040 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys 2007-09-03 20:16   d-------- C:\Program Files\Common Files\VMware 2007-08-30 14:42   d-------- C:\PST 2007-08-29 18:25   d-------- C:\Program Files\FileOpen 2007-08-29 18:24   d-------- C:\DOCUME~1\user\APPLIC~1\FileOpen 2007-08-29 18:24   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FileOpen 2007-08-28 05:26   d-------- C:\Program Files\Dell Support Center 2007-08-28 05:26   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft 2007-08-21 16:20 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2007-08-21 16:20 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2007-08-21 16:20 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-08-21 16:20 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-08-21 16:20 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2007-08-21 16:20 21,504 --a------ C:\WINDOWS\system32\hidserv.dll . ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-10 18:17 --------- d-------- C:\DOCUME~1\user\APPLIC~1\VMware 2007-09-10 18:12 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware 2007-09-10 18:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware 2007-09-10 18:11 79148 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 18:11 15968 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-09 11:19 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-04 21:38 --------- d-------- C:\Program Files\CyberLink 2007-09-04 21:36 --------- d-------- C:\Program Files\iPod 2007-09-04 21:15 --------- d-------- C:\Program Files\QuickTime 2007-09-04 20:59 --------- d-------- C:\Program Files\Network Associates 2007-09-04 20:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates 2007-09-04 16:27 --------- d-------- C:\Program Files\Windows Media Connect 2 2007-09-03 20:16 --------- d-------- C:\Program Files\VMware 2007-08-30 19:53 --------- d-------- C:\Program Files\Google 2007-08-30 14:20 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Yahoo! 2007-08-30 14:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-30 14:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-08-29 18:22 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AdobeUM 2007-08-25 06:43 --------- d-------- C:\Program Files\Yahoo! 2007-07-31 03:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-31 03:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-31 03:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-31 03:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-31 03:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-31 03:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-31 03:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-31 03:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-25 07:16 --------- d-------- C:\Program Files\CONEXANT 2007-07-24 18:43 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss 2007-07-23 06:40 --------- d-------- C:\Program Files\Metasploit 2007-07-23 06:18 --------- d-------- C:\Program Files\ACD 2007-07-15 10:23 --------- d-------- C:\Program Files\Crystal Decisions 2007-07-15 10:23 --------- d-------- C:\Program Files\Common Files\Crystal Decisions 2007-07-13 06:25 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Help 2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe 2002-09-09 13:02 221184 --a------ C:\Program Files\Common Files\keycode.dll . (((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))) .   *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25E23417-CE89-43B2-B04C-1E4CF7F8DCEF}] 2007-09-03 20:27 297568 --------- C:\WINDOWS\system32\sstqr.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Broadcom Wireless Manager UI'='C:\WINDOWS\system32\WLTRAY.exe' [2005-12-19 18:08] 'SynTPEnh'='C:\Program Files\Synaptics\SynTP\SynTPEnh.exe' [2006-03-08 21:48] 'NeroFilterCheck'='C:\WINDOWS\system32\NeroCheck.exe' [2001-07-09 20:50] 'Acrobat Assistant 7.0'='C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe' [2006-01-13 04:52] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe' [2007-07-12 12:00] 'SigmatelSysTrayApp'='stsystra.exe' [2006-03-25 01:30 C:\WINDOWS\stsystra.exe] 'vmware-tray'='C:\Program Files\VMware\VMware Workstation\vmware-tray.exe' [2007-05-01 22:52] 'VMware hqtray'='C:\Program Files\VMware\VMware Workstation\hqtray.exe' [2007-05-01 22:52] 'ZoneAlarm Client'='C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe' [2007-03-09 01:02] '!AVG Anti-Spyware'='C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe' [2007-06-11 10:25] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OBealsched.exe' [2007-02-10 23:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DVDXGhost'='C:\Program Files\DVD Ghost\DVDGhost.EXE' [] 'Yahoo! Pager'='C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe' [2007-08-21 00:30] 'updateMgr'='C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe' [2006-03-31 00:45] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 11:00] [HKEY_USERS\.default\software\microsoft\windows\currentversionunonce] 'RunNarrator'=Narrator.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] 'DisableRegistryTools'=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\qomjhih] qomjhih.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\sstqr] C:\WINDOWS\system32\sstqr.dll 2007-09-03 20:27 297568 C:\WINDOWS\system32\sstqr.dll R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys S3 PAC7311;VGA SoC PC-Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS S3 ufad-ws60;VMware Agent Service;'C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe' -d 'C:\Program Files\VMware\VMware Workstation\' -s ufad-p2v.xml . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-10 18:14:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-10 18:21:15 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-10 18:21 .  --- E O F ---

bamajim · Answer

pravesh125 1. Open NotePad (not wordpad). Copy and paste the following into Notepad File::C:\WINDOWS\system32qtss.bak2C:\WINDOWS\system32qtss.bak1C:\WINDOWS\system32\sstqr.dllRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\qomjhih][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\sstqr] Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop Using the Image as a reference, drag CFScript into ComboFix.exe You will be prompted to run Combofix again, Do so Following the same rules as indicated in my first post Then post the contents of the C:\ComboFix.txt log in your reply CastleCops Instructor MRU Graduate 'The world is what you make of it'

pravesh125 · Answer

Done the same....please find the log   ========================================================================== ComboFix 07-09-10.6 - 'user' 2007-09-10 23:03:21.2 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.492 [GMT 1:00] Command switches used ::  C:\Documents and Settings\user\Desktop\CFScript.txt  * Created a new restore point FILE:: C:\WINDOWS\system32qtss.bak2 C:\WINDOWS\system32qtss.bak1 C:\WINDOWS\system32\sstqr.dll . (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\system32\argwejlk.ini C:\WINDOWS\system32\eocireaq.dll C:\WINDOWS\system32\eysfwuvi.ini C:\WINDOWS\system32\ivuwfsye.dll C:\WINDOWS\system32\kljewgra.dll C:\WINDOWS\system32qtss.bak1 C:\WINDOWS\system32qtss.bak2 C:\WINDOWS\system32\sstqr.dll C:\WINDOWS\system32\vodfqksq.dll (((((((((((((((((((((((((   Files Created from 2007-08-10 to 2007-09-10  ))))))))))))))))))))))))))))))) . 2007-09-10 18:04 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-09 11:39 230,432 --a------ C:\PA7311.DAT 2007-09-09 11:34 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2007-09-09 11:34 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-09-09 11:34 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe 2007-09-09 11:18   d-------- C:\WINDOWS\Pixart 2007-09-09 11:18   d-------- C:\Program Files\PC VGA Camera 2007-09-09 11:18   d-------- C:\Program Files\Common Files\PCCamera 2007-09-06 23:18   d-------- C:\Program Files\MegauploadToolbar 2007-09-06 23:18   d-------- C:\DOCUME~1\user\APPLIC~1\MegauploadToolbar 2007-09-06 15:08   d-------- C:\Program Files\Trend Micro 2007-09-06 14:44 0 --a------ C:\WINDOWS
sreg.dat 2007-09-05 23:34 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-05 17:27   d-------- C:\Program Files\Lavasoft 2007-09-05 17:27   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-09-04 21:04 512 --a------ C:\ScanSectorLog.dat 2007-09-04 16:25 5,542,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-04 16:25 154,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-04 16:24   d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier 2007-09-04 16:17 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll 2007-09-04 14:20 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-04 14:15   d-------- C:\WINDOWS\Internet Logs 2007-09-03 20:19 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll 2007-09-03 20:19 437,040 --a------ C:\WINDOWS\system32\vnetlib.dll 2007-09-03 20:19 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys 2007-09-03 20:19 25,264 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys 2007-09-03 20:19 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys 2007-09-03 20:19 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys 2007-09-03 20:19 150,320 --a------ C:\WINDOWS\system32\vmnat.exe 2007-09-03 20:19 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll 2007-09-03 20:19 121,648 --a------ C:\WINDOWS\system32\vmnetdhcp.exe 2007-09-03 20:18 21,040 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys 2007-09-03 20:16   d-------- C:\Program Files\Common Files\VMware 2007-08-30 14:42   d-------- C:\PST 2007-08-29 18:25   d-------- C:\Program Files\FileOpen 2007-08-29 18:24   d-------- C:\DOCUME~1\user\APPLIC~1\FileOpen 2007-08-29 18:24   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FileOpen 2007-08-28 05:26   d-------- C:\Program Files\Dell Support Center 2007-08-28 05:26   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SupportSoft 2007-08-21 16:20 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2007-08-21 16:20 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2007-08-21 16:20 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-08-21 16:20 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-08-21 16:20 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2007-08-21 16:20 21,504 --a------ C:\WINDOWS\system32\hidserv.dll . ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-10 23:12 --------- d-------- C:\DOCUME~1\user\APPLIC~1\VMware 2007-09-10 23:11 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware 2007-09-10 23:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware 2007-09-10 23:10 81548 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 23:10 16568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-09 11:19 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-04 21:38 --------- d-------- C:\Program Files\CyberLink 2007-09-04 21:36 --------- d-------- C:\Program Files\iPod 2007-09-04 21:15 --------- d-------- C:\Program Files\QuickTime 2007-09-04 20:59 --------- d-------- C:\Program Files\Network Associates 2007-09-04 20:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates 2007-09-04 16:27 --------- d-------- C:\Program Files\Windows Media Connect 2 2007-09-03 20:16 --------- d-------- C:\Program Files\VMware 2007-08-30 19:53 --------- d-------- C:\Program Files\Google 2007-08-30 14:20 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Yahoo! 2007-08-30 14:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! 2007-08-30 14:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-08-29 18:22 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AdobeUM 2007-08-25 06:43 --------- d-------- C:\Program Files\Yahoo! 2007-07-31 03:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-31 03:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-31 03:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-31 03:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-31 03:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-31 03:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-31 03:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-31 03:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-25 07:16 --------- d-------- C:\Program Files\CONEXANT 2007-07-24 18:43 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss 2007-07-23 06:40 --------- d-------- C:\Program Files\Metasploit 2007-07-23 06:18 --------- d-------- C:\Program Files\ACD 2007-07-15 10:23 --------- d-------- C:\Program Files\Crystal Decisions 2007-07-15 10:23 --------- d-------- C:\Program Files\Common Files\Crystal Decisions 2007-07-13 06:25 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Help 2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe 2002-09-09 13:02 221184 --a------ C:\Program Files\Common Files\keycode.dll . (((((((((((((((((((((((((((((   snapshot_2007-09-10_181952.00   ))))))))))))))))))))))))))))))))))))))))) . ----a-w            61,952 2006-10-17 10:58:20  C:\WINDOWS\system32\icardie.dll ----a-w            26,112 2006-06-29 07:05:44  C:\WINDOWS\system32\idndl.dll ----a-w           180,736 2006-11-07 20:03:36  C:\WINDOWS\system32\ieui.dll ----a-w            12,288 2006-10-17 10:58:32  C:\WINDOWS\system32\msfeedssync.exe ----a-w            24,576 2006-06-28 16:59:26  C:\WINDOWS\system32
lsdl.dll ----a-w            23,552 2006-06-29 07:05:44  C:\WINDOWS\system32
ormaliz.dll ----a-w            42,448 2007-09-10 21:49:42  C:\WINDOWS\system32\perfc009.dat ----a-w           317,760 2007-09-10 21:49:42  C:\WINDOWS\system32\perfh009.dat ----a-w           486,400 2007-09-10 22:11:19  C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat ----atw            16,384 2007-09-10 20:56:12  C:\WINDOWS\Temp\Perflib_Perfdata_1a0.dat . ------w            61,952 2006-10-17 10:58:20  C:\WINDOWS\system32\icardie.dll ------w            26,112 2006-06-29 07:05:44  C:\WINDOWS\system32\idndl.dll ------w           180,736 2006-11-07 20:03:36  C:\WINDOWS\system32\ieui.dll ------w            12,288 2006-10-17 10:58:32  C:\WINDOWS\system32\msfeedssync.exe ------w            24,576 2006-06-28 16:59:26  C:\WINDOWS\system32
lsdl.dll ------w            23,552 2006-06-29 07:05:44  C:\WINDOWS\system32
ormaliz.dll ----a-w            42,448 2007-09-10 17:17:58  C:\WINDOWS\system32\perfc009.dat ----a-w           317,760 2007-09-10 17:17:58  C:\WINDOWS\system32\perfh009.dat ----a-w           483,712 2007-09-10 17:13:14  C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat . (((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))) .   *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Broadcom Wireless Manager UI'='C:\WINDOWS\system32\WLTRAY.exe' [2005-12-19 18:08] 'SynTPEnh'='C:\Program Files\Synaptics\SynTP\SynTPEnh.exe' [2006-03-08 21:48] 'NeroFilterCheck'='C:\WINDOWS\system32\NeroCheck.exe' [2001-07-09 20:50] 'Acrobat Assistant 7.0'='C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe' [2006-01-13 04:52] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe' [2007-07-12 12:00] 'SigmatelSysTrayApp'='stsystra.exe' [2006-03-25 01:30 C:\WINDOWS\stsystra.exe] 'vmware-tray'='C:\Program Files\VMware\VMware Workstation\vmware-tray.exe' [2007-05-01 22:52] 'VMware hqtray'='C:\Program Files\VMware\VMware Workstation\hqtray.exe' [2007-05-01 22:52] 'ZoneAlarm Client'='C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe' [2007-03-09 01:02] '!AVG Anti-Spyware'='C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe' [2007-06-11 10:25] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OBealsched.exe' [2007-02-10 23:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DVDXGhost'='C:\Program Files\DVD Ghost\DVDGhost.EXE' [] 'Yahoo! Pager'='C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe' [2007-08-21 00:30] 'updateMgr'='C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe' [2006-03-31 00:45] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 11:00] [HKEY_USERS\.default\software\microsoft\windows\currentversionunonce] 'RunNarrator'=Narrator.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] 'DisableRegistryTools'=0 (0x0) R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system32\drivers\VMkbd.sys S3 PAC7311;VGA SoC PC-Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS S3 ufad-ws60;VMware Agent Service;'C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe' -d 'C:\Program Files\VMware\VMware Workstation\' -s ufad-p2v.xml . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-10 23:12:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-10 23:15:30 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-10 23:15 C:\ComboFix2.txt ... 2007-09-10 18:21 .  --- E O F ---

bamajim · Answer

pravesh125 Excellent. Could I see a fresh Hijackthis log please. CastleCops Instructor MRU Graduate 'The world is what you make of it'

pravesh125 · Answer

hi, Please find the attached Fresh HiJackThis Log......I am not getting the add popups now and i thinks system speed also got improved.....

Just let me know your expert comments....:smileyhappy:

also if it is solved then please let me know little bit about the problem and how u analysed it......just for the sake of curiosity.....request you to please write me at pravesh125@rediffmail.com

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:24 AM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7432 bytes

bamajim · Answer

pravesh125

Excellent.

Here's a tool you may find useful

1. Download CCleaner from here to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.

2. You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System Restore

Lets create a clean System Restore point
the instructions are here

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basis

To a disc or a USB key, not your Hardrive

You may want to read this article" So how did I get infected in the first place" by Tony Klein

surf safe

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

pravesh125 · Answer

thanks a lot for all your help.....   I have used the CCleaner for removing temp. file and also created new clean restore point also.....the reference materials you have mentioned is of great help for a person like me who is alien to system adminstration and working on OS side.....   thanks a lot again.....   CHEER!!!!!!!!

pravesh125 · Answer

Hi,

Just troubling you again....actually the system is still taking very much time to boot and intenet explorer still gives some of the errors and hangs up....i am giving u a Hijackthis log as below.....

also i am having AVG antispyware 7.5 free version and Zone alarm security suite paid version uploaded on my system.....so is it necesssary to keep only one tool running on the system or i can keep both the things....Please let me know ur views.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:23 PM, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7429 bytes

bamajim · Answer

pravesh125

AVG Antispyware (free version) do you plan on upgrading? I'm not sure I understand your question.

Now if you plan on using ZoneAlarm Security suite it may conflict with McAfee and create the problem you are describing, especially if your version of McAfee has a firewall. You should only have one firewall.

To some up:

Only 1 AntiVirus program

Only 1 Firewall beside the windows firewall

AVG Anti-Spyware program is a nice addition

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

Virus & Spyware

Possible Malware and Adware problem need solution

Was this post helpful?