SheenaEastonFan

Hi,
I am a rookie to malware. Just got infected with something called "vwwdiag32.exe". AARRGH !!!

When I log on, I get a bunch of error boxes that I have to manually closeout.

I also get a box that reads "msupd011350531.exe has generated errors and will be closed by Windows".

Also, my computer is running very slow. At a snails pace. When I click on windows to move them, it takes 10-15 minutes to move. It's like I am stuck in concrete.

I have Run Ad-Aware SE. I think I was successful
I know I need to run Spybot, but computer is running so slow. Also, slow computer having difficult time connecting to Internet.

Sorry for all the details. I read your tutorials, and am tryin to give enough info so that you guys can help me. I'm at the "bang head against wall stage"

I also did a HijackThis run. Attached is the log.

Logfile of HijackThis v1.99.1
Scan saved at 8:36:00 AM, on 11/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\Program Files\Yahoo!\Antivirus\ISafe.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Yahoo!\Antivirus\VetMsg.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
C:\361101032252966165.exe
C:\361101032252978853.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=explorer.exe " vmmdiag32.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\msupd011350531.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a573...p/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe

I know that malware generates more malware. So, what can I do to prevent this problem from spreading ?

Is there any way to speed up the computer ?

And what should I do next ?

Thanks

Ried

Hello SheenaEastonFan and welcome to TSF,

Our apologies for the delay. We'll need to go after your infections in stages.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download haxfix.exeand save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:

1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

Close all other open windows since this step requires a reboot

• Select option 2. Run auto fix by typing 2 and then pressing "Enter"

If an infection is found, you'll get a message to close all other open windows.

• Close all open windows except the red dos window from haxfix and then press "Enter"
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile along with a new HijackThis log.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

SheenaEastonFan

Thanks for jumping in to help me.

Here is the Haxfix text file after I did the auto fix

HAXFIX logfile - by Marckie
--------------
version 4.28
Fri 12/15/2006 0:46:44.99

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished


Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:56:32 AM, on 12/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
C:\361101032252966165.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\361101032252978853.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a573...p/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe

What do these log files tell you ?
What are the next steps ?

Thank you

Ried

Hi,

Now we go after the rest of it--this may take a few rounds to erradicate it completely.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop** Do not run it yet.

-----------------

Download gmer from http://www.gmer.net & unzip it to desktop. Do not run it yet.

-----------------

Using Internet Explorer, download ResetTeaTimer.bat.

If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

-----------------

Download LSPFix.exe

Instructions for using LSPFix

1. Double click on LSPFix.exe to run it.
2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
3. You'll find a window with 2 panes.
4. In the left pane which is labeled Keep, select all instances of sniffer.dll
5. Then click on the arrow pointing to the right, >>.
6. This will move the entry to the right pane labeled Remove
7. Click the Finish button to complete the fix.

If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed.

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Uninstall.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a573...p/RdxIE601.cab


Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using My Computer, navigate to and delete the following Files:

D:\Program Files\Common Files\Microsoft Shared\Web Folders\ ibm00001.exe
C:\ 361101032252966165.exe
C:\ 361101032252978853.exe

-----------------------------------

Clear your Temp and Temporary Internet Files:

• Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove.
• Make sure Temporary Internet Files and Temporary Files checked' and click OK.

-----------------------------------


Reboot into Normal Mode.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

-----------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

Panda results
ComboFix.txt
New HijackThis log

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

SheenaEastonFan

My infected laptop cannot connect to the Internet. So, I cannot perform the online scan using Panda ActiveScan.

How can I get around this problem ?

Is there another solution ?

Thanks for your help.

Ried

Skip the online scan and please post the following logs:

gmer results
ComboFix.txt
New HijackThis log

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006