A couple of problems

**Axel003** · 2007-06-04, 21:59

Hey, I got a trojan the other day and I've been attempting to remove it myself for a while. I thought I had successfully done so, but now Spyware Doctore (free version) is going crazy telling me it's blocking malicious action from - rundll32.exe and spybot s&d is going mad telling me that it has blocked registry changes. Any help would be greatly appreciated.

Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 3:52:03 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\System32\svchost.exe
C:\windows\System32\alg.exe
C:\windows\TEMP\win8D.tmp.exe
C:\Program Files\Starcraft\StarCraft.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

**Axel003** · 2007-06-05, 00:14

ooh, forgot to mention. Every time I run spybot s&d i keep getting Smitfraud-C.Toolbar888. If someone could help me remove it without the reformatting approach I'd be most appreciative.

**Mr_JAk3** · 2007-06-05, 20:40

Hello axel and welcome to the Forums

Please post the Spybot S&D log to here.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**Axel003** · 2007-06-05, 23:51

Thanks for the help.

"Alex" - 2007-06-04 18:41:04 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Alex\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\windows\system32\jkkjk.dll
C:\windows\system32\winrkq32.dll
C:\WINDOWS\system32\kjkkj.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\Program Files\ASEMBL~1
C:\Program Files\Common Files\ICROSO~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winupdates
C:\windows\smgr.exe
C:\windows\system32\wapisvit.exe
C:\windows\wr.txt

((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))

2007-06-04 15:37 33,302 --a------ C:\WINDOWS\system32\jkkijkj.dll
2007-06-04 12:13 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-04 12:13 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-04 12:13 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-04 12:13 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-04 12:13 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-04 12:13 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-04 12:13 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\PC Tools
2007-06-04 12:06 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\PCToolsFirewallPlus
2007-06-04 12:04 55,904 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2007-06-04 12:04 100,448 --a------ C:\WINDOWS\system32\drivers\pctfw1.sys
2007-06-04 12:04 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-06-03 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-03 18:53 <DIR> d-------- C:\DOCUME~1\Alex\.housecall6.6
2007-06-03 18:47 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Uniblue
2007-06-03 18:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-03 18:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-03 18:41 1,344 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-03 18:26 <DIR> d-------- C:\VundoFix Backups
2007-06-03 16:26 60,928 --a------ C:\WINDOWS\system32\nkyiqg.dll
2007-06-03 16:26 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
2007-06-03 16:26 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-01 17:56 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-01 17:56 68,096 --a------ C:\WINDOWS\ScUnin.exe
2007-06-01 17:56 51,482 --a------ C:\WINDOWS\scunin.dat
2007-06-01 17:37 <DIR> d-------- C:\Program Files\Starcraft
2007-05-30 20:18 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-21 00:35 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-21 00:35 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-21 00:35 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-21 00:35 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-21 00:35 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-21 00:35 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-21 00:35 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-21 00:34 <DIR> d-------- C:\Program Files\Sony
2007-05-10 03:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 09:56 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\GraphPad Software

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 22:45:46 384 ----a-w C:\windows\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-04 22:45:46 384 ----a-w C:\windows\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-04 21:16:00 1,984 ----a-w C:\windows\system32\d3d9caps.dat
2007-06-04 15:56:40 -------- d-----w C:\Program Files\WinISO
2007-06-04 15:55:40 -------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-06-04 15:55:25 -------- d-----w C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-06-04 03:56:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 03:56:19 -------- d-----w C:\Program Files\ASUS
2007-06-04 03:56:08 -------- d-----w C:\Program Files\Citrix
2007-06-03 22:57:50 -------- d-----w C:\Program Files\Network Associates
2007-05-30 04:40:40 -------- d-----w C:\Program Files\Winamp
2007-04-18 16:12:23 2,854,400 ----a-w C:\windows\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\windows\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\windows\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\windows\system32\muweb.dll
2007-04-08 01:48:39 -------- d-----w C:\DOCUME~1\Alex\APPLIC~1\ICAClient
2007-03-17 13:43:01 292,864 ----a-w C:\windows\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\windows\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\windows\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\windows\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\windows\system32\win32k.sys
2007-03-07 23:51:00 129,784 ------w C:\windows\system32\pxafs.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\windows\system32\jkkijkj.dll [2007-06-04 15:37]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-18 16:36]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 03:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\windows\system32\jkkijkj.dll" [2007-06-04 15:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkijkj]
jkkijkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\claruxeb.exe]
C:\Documents and Settings\All Users\Application Data\claruxeb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Etbs]
"C:\windows\$NtServicePackUninstall$\regsvr32.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnew]
"C:\Program Files\a?sembly\?xplorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Mail Services]
express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
"C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TeoSoft AntiSpyware Pro FREE TEST]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULNLA]
c:\program files\ULNLA\ULNLA.exe 131

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{941d2ec1-1631-11da-96a7-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc5a1f71-2225-11da-88a0-0011112811d9}]
AutoRun\command- I:\autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-05-30 18:13:00 C:\windows\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 18:47:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 18:50:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 18:50

--- E O F ---

**Axel003** · 2007-06-06, 02:59

Oh good, computer is also randomly restarting. This happens mostly whenever I try to download something. Lately it's been either attempting to update B-Net or download itunes installer

**Mr_JAk3** · 2007-06-06, 20:51

Ok...

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

**Axel003** · 2007-06-06, 23:56

Thanks a lot for the help! Just a couple of questions, what kind of changes can I expect? I noticed a lot of my bookmarks were deleted, thats no big deal though. What about saved passwords and such?

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:46:11 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\windows\System32\svchost.exe
C:\windows\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

SDFix log:

SDFix: Version 1.86

Run by Alex - Wed 06/06/2007 - 17:31:11.01

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\windows\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\windows\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\windows\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Listing Files with Hidden Attributes:

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\ssqpn.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\19fd80404722a6ad3b8dfeb8c06ee71e\BIT87.tmp

Listing User Accounts:

User accounts for \\SCAPEGOAT

Administrator Alex ASPNET
Dave Guest HelpAssistant
SUPPORT_388945a0

Finished

the cleanup check thing that it asked for me to do afterwards:

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 17:49:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

**Mr_JAk3** · 2007-06-07, 20:13

Well some settings might be restored to the defaults. This is normal. Passwords might get deleted too when we clean the temporary folders & files...

Create a new folder for HijackThis and move HijackThis.exe into it.

Rename HijackThis.exe to Scanner.exe

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis (scanner.exe) log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**Axel003** · 2007-06-08, 05:42

All done:

VundoFix:

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 11:28:54 PM 6/7/2007

Listing files found while scanning....

C:\windows\system32\ddccy.dll
C:\windows\system32\dgjlm.ini
C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkklk.dll
C:\windows\system32\mljgd.dll
C:\windows\system32\ssqpn.dll

Beginning removal...

Attempting to delete C:\windows\system32\ddccy.dll
C:\windows\system32\ddccy.dll Has been deleted!

Attempting to delete C:\windows\system32\dgjlm.ini
C:\windows\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkkijkj.dll Could not be deleted.

Attempting to delete C:\windows\system32\jkklk.dll
C:\windows\system32\jkklk.dll Has been deleted!

Attempting to delete C:\windows\system32\mljgd.dll
C:\windows\system32\mljgd.dll Could not be deleted.

Attempting to delete C:\windows\system32\ssqpn.dll
C:\windows\system32\ssqpn.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkkijkj.dll Has been deleted!

Attempting to delete C:\windows\system32\mljgd.dll
C:\windows\system32\mljgd.dll Has been deleted!

Performing Repairs to the registry.
Done!

New HiJack (scanner.exe)

Logfile of HijackThis v1.99.1
Scan saved at 11:40:30 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Alex\Desktop\Blarg\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F04D3FF5-4877-4A24-9B73-E10C41C91FFD} - C:\windows\system32\mljgd.dll (file missing)
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O20 - Winlogon Notify: jkkjk - C:\windows\
O20 - Winlogon Notify: NavLogon - C:\windows\
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

**Mr_JAk3** · 2007-06-08, 21:53

Ok...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thread: A couple of problems

Thread Tools

Display

A couple of problems

Posting Permissions