Hjt From A Friends Machine

[mikex]

I ran HJT between uninstalling AVG Free and Installing Kaspersky free trial.

Please check it out and let me know what the prognosis is. AVG shows clean but online scanners at Symantec and Trendmicro show virus/spyware. I have AVG antispyware installed and ran. CCleaner ran and cleaned. I also have LogMeIn free installed.

Logfile of HijackThis v1.99.1

Scan saved at 12:53:18 PM, on 1/3/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\LogMeIn\LogMeIn.exe

C:\Program Files\LogMeIn\RaMaint.exe

C:\Program Files\LogMeIn\LogMeIn.exe

C:\WINNT\Explorer.EXE

C:\Program Files\LogMeIn\LogMeInSystray.exe

C:\WINNT\System32\lxcrcoms.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\__APG\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.apgwireless.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: (no name) - {18310473-AB99-4217-B9FB-082EC3028FCa} - C:\WINNT\System32\ydnrcfdi.dll

O2 - BHO: (no name) - {2272BFB6-662C-4445-B131-E563D2106D65} - C:\WINNT\System32\ydnrcfdi.dll

O2 - BHO: (no name) - {421E9005-BF97-4839-AB5B-9143A18F3D46} - C:\WINNT\system32\qdclmqkn.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {59689CE1-2B52-449E-9AE2-5144CDC4C3D2} - C:\WINNT\system32\qdclmqkn.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: CIEPl Object - {DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - C:\WINNT\System32\ntload32.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"

O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O20 - AppInit_DLLs:

O20 - Winlogon Notify: atvcjkjt - C:\WINNT\SYSTEM32\qdclmqkn.dll

O20 - Winlogon Notify: brheosie - brheosie.dll (file missing)

O20 - Winlogon Notify: cenwsjgd - cenwsjgd.dll (file missing)

O20 - Winlogon Notify: dmelpcyq - dmelpcyq.dll (file missing)

O20 - Winlogon Notify: dpjcqjcv - C:\WINNT\SYSTEM32\dpjcqjcv.dll

O20 - Winlogon Notify: eajcdniv - eajcdniv.dll (file missing)

O20 - Winlogon Notify: eytkiagb - C:\WINNT\SYSTEM32\eytkiagb.dll

O20 - Winlogon Notify: gmgvvexb - gmgvvexb.dll (file missing)

O20 - Winlogon Notify: hdhrbemo - C:\WINNT\SYSTEM32\hdhrbemo.dll

O20 - Winlogon Notify: hekfolfp - C:\WINNT\SYSTEM32\hekfolfp.dll

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: ihevtxyq - C:\WINNT\SYSTEM32\ihevtxyq.dll

O20 - Winlogon Notify: LMIinit - C:\WINNT\SYSTEM32\LMIinit.dll

O20 - Winlogon Notify: lwrkhshv - lwrkhshv.dll (file missing)

O20 - Winlogon Notify: ntload32 - ntload32.dll (file missing)

O20 - Winlogon Notify: ogxciloj - ogxciloj.dll (file missing)

O20 - Winlogon Notify: pvsavvkq - C:\WINNT\SYSTEM32\pvsavvkq.dll

O20 - Winlogon Notify: qyugoyeg - qyugoyeg.dll (file missing)

O20 - Winlogon Notify: thotmwdy - C:\WINNT\SYSTEM32\thotmwdy.dll

O20 - Winlogon Notify: txlkfgra - txlkfgra.dll (file missing)

O20 - Winlogon Notify: uacijuwp - uacijuwp.dll (file missing)

O20 - Winlogon Notify: ukddeoie - ukddeoie.dll (file missing)

O20 - Winlogon Notify: vspnicfb - C:\WINNT\SYSTEM32\vspnicfb.dll

O20 - Winlogon Notify: vydehyul - C:\WINNT\SYSTEM32\vydehyul.dll

O20 - Winlogon Notify: wddbvaor - C:\WINNT\SYSTEM32\wddbvaor.dll

O20 - Winlogon Notify: wkjlmfhj - wkjlmfhj.dll (file missing)

O20 - Winlogon Notify: yaqqwhkp - C:\WINNT\SYSTEM32\qdclmqkn.dll

O20 - Winlogon Notify: ypyofita - ypyofita.dll (file missing)

O21 - SSODL: IEFilter - {20D4CE14-224C-46DF-ABFF-7B058272BD2B} - (no file)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe

O23 - Service: lxcr_device - - C:\WINNT\System32\lxcrcoms.exe

[therock247uk]

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINNT\System32\ydnrcfdi.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

Do the same for...

C:\WINNT\system32\qdclmqkn.dll

C:\WINNT\SYSTEM32\pvsavvkq.dll

C:\WINNT\SYSTEM32\qdclmqkn.dll

[mikex]

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINNT\System32\ydnrcfdi.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

Do the same for...

C:\WINNT\system32\qdclmqkn.dll

C:\WINNT\SYSTEM32\pvsavvkq.dll

C:\WINNT\SYSTEM32\qdclmqkn.dll

Submitted

Edited January 3, 2007 by mikex

[mikex]

Rock,

Any update on what actions I should take with this POS?

[therock247uk]

Open HijackThis and go to the Misc Tools Section

Click on Open ADS Spy

Uncheck the 2 boxes in the top left of the window

Quick Scan (Windows base folder only)

Ignore Safe System Info Streams

Click Scan--> Once completed--> Click Save Log and save it to the desktop.

Post that log in the next reply please.

Download Combofix to your Root Drive C:\ (It must be on the Root Drive!)

http://download.bleepingcomputer.com/sUBs/combofix.exe

Click Start--> Click Run--> COpy&Paste the bold text below into the open run box and click OK.

%systemdrive%\combofix.exe /v ydnrcfdi qdclmqkn wddbvaor vydehyul vspnicfb thotmwdy pvsavvkq ihevtxyq igfxsrvc hekfolfp hdhrbemo eytkiagb dpjcqjcv qdclmqkn

When the dos window appears,type in Y and hit enter.

Allow ComboFix to run and do its thing.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

[mikex]

Rock,

Noon yesterday I got the cd package from computer owner. They said just reinstall OS, nothing of value on the machine. Sorry I should have posted an update.

M

[therock247uk]

Closing...