Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Fake Security Panel and Random Popups

  1. 2007-11-21, 21:27 #11
    random/random
    random/random is offline
    Security Expert: Visiting Fellow
    Join Date
    Jul 2007
    Posts
    703

    Default

    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, double-click on SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply, alogn with anew HijackThis log.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.
  2. 2007-11-22, 00:59 #12
    Stoke
    Stoke is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default

    SmitFraudFix v2.253

    Scan done at 17:47:22.85, Wed 11/21/2007
    Run from C:\Documents and Settings\Matthew\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    ササササササササササササササササササササササササ SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    ササササササササササササササササササササササササ Killing process


    ササササササササササササササササササササササササ hosts

    10.18.250.4 ad.doubleclick.net
    10.18.250.4 ad.fastclick.net
    10.18.250.4 ads.fastclick.net
    10.18.250.4 ar.atwola.com
    10.18.250.4 atdmt.com
    10.18.250.4 avp.ch
    10.18.250.4 avp.com
    10.18.250.4 avp.ru
    10.18.250.4 awaps.net
    10.18.250.4 banner.fastclick.net
    10.18.250.4 banners.fastclick.net
    10.18.250.4 ca.com
    10.18.250.4 click.atdmt.com
    10.18.250.4 clicks.atdmt.com
    10.18.250.4 customer.symantec.com
    10.18.250.4 dispatch.mcafee.com
    10.18.250.4 download.mcafee.com
    10.18.250.4 downloads-us1.kaspersky-labs.com
    10.18.250.4 downloads-us2.kaspersky-labs.com
    10.18.250.4 downloads-us3.kaspersky-labs.com
    10.18.250.4 downloads1.kaspersky-labs.com
    10.18.250.4 downloads2.kaspersky-labs.com
    10.18.250.4 downloads3.kaspersky-labs.com
    10.18.250.4 downloads4.kaspersky-labs.com
    10.18.250.4 engine.awaps.net
    10.18.250.4 f-secure.com
    10.18.250.4 fastclick.net
    10.18.250.4 ftp.avp.ch
    10.18.250.4 ftp.downloads1.kaspersky-labs.com
    10.18.250.4 ftp.downloads2.kaspersky-labs.com
    10.18.250.4 ftp.downloads3.kaspersky-labs.com
    10.18.250.4 ftp.f-secure.com
    10.18.250.4 ftp.kasperskylab.ru
    10.18.250.4 ftp.sophos.com
    10.18.250.4 ids.kaspersky-labs.com
    10.18.250.4 kaspersky-labs.com
    10.18.250.4 kaspersky.com
    10.18.250.4 liveupdate.symantec.com
    10.18.250.4 liveupdate.symantecliveupdate.com
    10.18.250.4 mast.mcafee.com
    10.18.250.4 mcafee.com
    10.18.250.4 media.fastclick.net
    10.18.250.4 my-etrust.com
    10.18.250.4 nai.com
    10.18.250.4 networkassociates.com
    10.18.250.4 norton.com
    10.18.250.4 phx.corporate-ir.net
    10.18.250.4 rads.mcafee.com
    10.18.250.4 secure.nai.com
    10.18.250.4 securityresponse.symantec.com
    10.18.250.4 service1.symantec.com
    10.18.250.4 sophos.com
    10.18.250.4 spd.atdmt.com
    10.18.250.4 symantec.com
    10.18.250.4 trendmicro.com
    10.18.250.4 update.symantec.com
    10.18.250.4 updates.symantec.com
    10.18.250.4 updates1.kaspersky-labs.com
    10.18.250.4 updates2.kaspersky-labs.com
    10.18.250.4 updates3.kaspersky-labs.com
    10.18.250.4 updates4.kaspersky-labs.com
    10.18.250.4 updates5.kaspersky-labs.com
    10.18.250.4 us.mcafee.com
    10.18.250.4 vil.nai.com
    10.18.250.4 viruslist.com
    10.18.250.4 viruslist.ru
    10.18.250.4 virusscan.jotti.org
    10.18.250.4 virustotal.com
    10.18.250.4 www.avp.ch
    10.18.250.4 www.avp.com
    10.18.250.4 www.avp.ru
    10.18.250.4 www.awaps.net
    10.18.250.4 www.ca.com
    10.18.250.4 www.f-secure.com
    10.18.250.4 www.fastclick.net
    10.18.250.4 www.grisoft.com
    10.18.250.4 www.kaspersky-labs.com
    10.18.250.4 www.kaspersky.com
    10.18.250.4 www.kaspersky.ru
    10.18.250.4 www.mcafee.com
    10.18.250.4 www.my-etrust.com
    10.18.250.4 www.nai.com
    10.18.250.4 www.networkassociates.com
    10.18.250.4 www.sophos.com
    10.18.250.4 www.symantec.com
    10.18.250.4 www.trendmicro.com
    10.18.250.4 www.viruslist.com
    10.18.250.4 www.viruslist.ru
    10.18.250.4 www.virustotal.com

    ササササササササササササササササササササササササ Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    ササササササササササササササササササササササササ Generic Renos Fix

    GenericRenosFix by S!Ri


    ササササササササササササササササササササササササ Deleting infected files

    C:\WINDOWS\se_spoof.dll Deleted
    C:\WINDOWS\shell.exe Deleted
    C:\WINDOWS\system32\printer.exe Deleted
    C:\WINDOWS\system32\spoolvs.exe Deleted
    C:\WINDOWS\system32\drvzej.dll Deleted
    C:\DOCUME~1\Matthew\STARTM~1\Programs\Startup\findfast.exe Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

    ササササササササササササササササササササササササ DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{279EFEA2-AB86-4425-A925-FBE0224869E8}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{279EFEA2-AB86-4425-A925-FBE0224869E8}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{279EFEA2-AB86-4425-A925-FBE0224869E8}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


    ササササササササササササササササササササササササ Deleting Temp Files


    ササササササササササササササササササササササササ Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    ササササササササササササササササササササササササ Registry Cleaning

    Registry Cleaning done.

    ササササササササササササササササササササササササ SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    ササササササササササササササササササササササササ End
  3. 2007-11-22, 01:00 #13
    Stoke
    Stoke is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:59:53 PM, on 11/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\mjjuaisv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\SecCenter\scprot4.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Matthew\Application Data\F?nts\?ti2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\TEMP\win40.exe
    C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [ipmzopod] rundll32.exe "C:\Program Files\yfqhqbur\apghebiz.dll",Init
    O4 - HKLM\..\Run: [jsdyvenu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jsdyvenu.dll"
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [09ed7103] rundll32.exe "C:\WINDOWS\system32\wbrxrigq.dll",b
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfat.dll,startup
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win40.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Qcfri] "C:\Documents and Settings\Matthew\Application Data\F?nts\?ti2evxx.exe"
    O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe" -vt yazb
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156092615015
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\mjjuaisv.exe
    O23 - Service: Freenet 0.7 darknet (freenet-darknet) - Unknown owner - C:\Program Files\freenet\bin\wrapper-windows-x86-32.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 6132 bytes
  4. 2007-11-22, 12:37 #14
    random/random
    random/random is offline
    Security Expert: Visiting Fellow
    Join Date
    Jul 2007
    Posts
    703

    Default

    • Go to Start > My Computer
    • Go to Tools > Folder Options
    • Click on the View tab
    • Untick the following:
      • Hide extensions for known file types
      • Hide protected operating system files (Recommended)
    • You will get a message warning you about showing protected operating system files, click Yes
    • Make sure this option is selected:
      • Show hidden files and folders
    • Click Apply and then click OK


    Backup Your Registry with ERUNT
    • Please use the following link and scroll down to ERUNT and download it.
      http://aumha.org/freeware/freeware.php
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

    Copy the contents of the following codebox to a notepad window

    Code:
    REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\xloader10181.exe"=-
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"C:\\Documents and Settings\\Matthew\\Start Menu\\Programs\\Startup\\findfast.exe"=-
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=-
"%windir%\\system32\\winav.exe"=-
"C:\\Documents and Settings\\Matthew\\Application Data\\ppldr.exe"=-
"C:\\Documents and Settings\\Matthew\\Application Data\\trant.exe"=-
"C:\\WINDOWS\\TEMP\\win3C.exe"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\xloader10181.exe"=-
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"C:\\Documents and Settings\\Matthew\\Start Menu\\Programs\\Startup\\findfast.exe"=-
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=-
"%windir%\\system32\\winav.exe"=-
"C:\\Documents and Settings\\Matthew\\Application Data\\mcrupdate.exe"=-
"C:\\Documents and Settings\\Matthew\\Application Data\\ppldr.exe"=-
"C:\\Documents and Settings\\Matthew\\Application Data\\trant.exe"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^findfast.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fepkrytk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fojmvqzo]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gbqzkfsh]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gxutgbyz]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jcncpula]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsbqxgfg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tahmnkrq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wbwhypkd]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xafcbkhm]
    Save it to the desktop as fix.reg, making sure save as type is set to all files

    Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

    Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

    sc stop DomainService
    sc delete DomainService
    Save it to your Desktop as cleanup.bat. Save it as:
    File Type: All Files (not as a text document or it wont work).
    Name: cleanup.bat

    Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

    Run HijackThis
    Click on do a system scan only
    Place a checkmark next to these lines(if still present)

    O4 - HKLM\..\Run: [ipmzopod] rundll32.exe "C:\Program Files\yfqhqbur\apghebiz.dll",Init
    O4 - HKLM\..\Run: [jsdyvenu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jsdyvenu.dll"
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [09ed7103] rundll32.exe "C:\WINDOWS\system32\wbrxrigq.dll",b
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfat.dll,startup
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win40.exe
    O4 - HKCU\..\Run: [Qcfri] "C:\Documents and Settings\Matthew\Application Data\F?nts\?ti2evxx.exe"
    O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe" -vt yazb
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

    Then close all windows except HijackThis and click Fix Checked

    Restart

    Use windows explorer to find and delete these files:

    C:\WINDOWS\system32\mjjuaisv.exe
    C:\WINDOWS\TEMP\win40.exe
    C:\WINDOWS\mgrs.exe
    C:\Documents and Settings\All Users\Application Data\jsdyvenu.dll
    C:\WINDOWS\system32\wbrxrigq.dll
    C:\WINDOWS\system32\drvfat.dll
    C:\Windows\xpupdate.exe

    And these folders:

    C:\Program Files\SecCenter\
    C:\Documents and Settings\Matthew\Application Data\F?nts\ << ? could be any character
    C:\Program Files\COMMON files\MCROSO~1.NET\ << The first six letters will be MCROSO
    C:\Program Files\yfqhqbur\

    As an example:
    To delete C:\WINDOWS\system32\filetogo.bye
    Double click the My Computer icon on your Desktop.
    Double click on Local Disc (C:\)
    Double click on the Windows folder,
    Double click on the System 32 folder,
    Right click on filetogo.bye and from the menu that appears, click on 'Delete'

    Now run dss.exe again and post the log it produces
  5. 2007-11-23, 01:43 #15
    Stoke
    Stoke is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default

    Everything went fine but I couldn't find the C:\Windows\xpupdate.exe file. However, it was removed with Hijackthis in the previous step so I didn't need to delete again right?

    Also the "C:\Program Files\COMMON files\MCROSO~1.NET\" folder was inside my "C:\Program Files\COMMON files\Microsoft.NET\MCROSO~1.NET\" folder. I don't need to delete the Msft.net folder and the wuauboot.exe it contains right? they are legitimate?



    Deckard's System Scanner v20071014.68
    Run by Matthew on 2007-11-22 10:53:36
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Percentage of Memory in Use: 79% (more than 75%).
    Total Physical Memory: 383 MiB (512 MiB recommended).


    -- HijackThis (run as Matthew.exe) ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:53:47 AM, on 11/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Matthew\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Vgsliunk\cimcymfw.dll
    O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\wdrpuyag\sywxapur.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: {8f04fb6e-25dc-0a89-7cc4-004740fb2cbb} - {bbc2bf04-7400-4cc7-98a0-cd52e6bf40f8} - C:\WINDOWS\system32\btuwpmyo.dll
    O2 - BHO: (no name) - {C705021C-9C43-40A4-A5CF-21A0AB7F4B24} - C:\WINDOWS\system32\mljgf.dll
    O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\nnnonnn.dll
    O2 - BHO: (no name) - {EFDBD949-15F4-2E5A-8F58-31E6008F5894} - C:\WINDOWS\system32\erbjfxt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe" -vt yazb
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156092615015
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O20 - Winlogon Notify: nnnonnn - C:\WINDOWS\SYSTEM32\nnnonnn.dll
    O20 - Winlogon Notify: wingdm32 - C:\WINDOWS\SYSTEM32\wingdm32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Freenet 0.7 darknet (freenet-darknet) - Unknown owner - C:\Program Files\freenet\bin\wrapper-windows-x86-32.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    --
    End of file - 6360 bytes

    -- Files created between 2007-10-22 and 2007-11-22 -----------------------------

    2007-11-21 17:56:58 15360 --a------ C:\WINDOWS\system32\drvfatr.dll
    2007-11-21 17:56:58 104448 --a------ C:\WINDOWS\system32\drvfat.dll
    2007-11-21 17:56:47 37376 --a------ C:\WINDOWS\system32\iiffffg.dll
    2007-11-21 12:43:49 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-11-21 12:43:49 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
    2007-11-21 12:43:49 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
    2007-11-21 12:43:49 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
    2007-11-21 12:43:49 51200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-11-21 12:26:13 0 d-------- C:\VundoFix Backups
    2007-11-21 11:56:16 0 d-------- C:\WINDOWS\ERUNT
    2007-11-20 17:04:52 84544 --a------ C:\WINDOWS\system32\btuwpmyo.dll
    2007-11-19 21:13:35 0 d-------- C:\Program Files\Trend Micro
    2007-11-19 21:09:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-19 21:09:15 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-19 20:40:25 0 d-------- C:\Program Files\CCleaner
    2007-11-19 20:38:02 447811 --ahs---- C:\WINDOWS\system32\fgjlm.ini2
    2007-11-19 20:37:50 329824 --a------ C:\WINDOWS\system32\mljgf.dll
    2007-11-19 19:40:13 0 d-------- C:\Program Files\Lavasoft
    2007-11-19 19:40:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-11-19 19:33:19 60928 --a------ C:\WINDOWS\system32\erbjfxt.dll
    2007-11-19 19:33:00 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
    2007-11-19 19:32:46 0 d-------- C:\Program Files\Vgsliunk
    2007-11-19 19:32:42 37376 --a------ C:\WINDOWS\system32\rqropnl.dll
    2007-11-19 18:33:44 0 d-------- C:\Program Files\wdrpuyag
    2007-11-19 18:33:42 19968 --a------ C:\WINDOWS\system32\xlibgfl254.dll
    2007-11-19 18:33:42 0 d-------- C:\Documents and Settings\Matthew\Application Data\ultra
    2007-11-19 18:21:57 9728 -----n--- C:\Program Files\xloader10181.exe
    2007-11-19 18:15:22 14900 --a------ C:\Program Files\3269.exe
    2007-11-19 18:09:14 102912 --a------ C:\WINDOWS\system32\drvzet.dll
    2007-11-19 18:08:54 0 d-------- C:\Program Files\MalwareAlarm
    2007-11-19 18:08:52 0 d-------- C:\WINDOWS\system32\fibagbia
    2007-11-19 18:08:48 37376 --a------ C:\WINDOWS\system32\nnnonnn.dll
    2007-11-19 18:08:47 0 d-------- C:\Program Files\Uvxgulrx
    2007-11-19 18:08:45 1147424 --a------ C:\Install
    2007-11-19 18:08:44 0 d-------- C:\Program Files\tahmnkrq
    2007-11-19 18:08:41 20992 --a------ C:\WINDOWS\system32\wingdm32.dll


    -- Find3M Report ---------------------------------------------------------------

    2007-11-22 10:48:22 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
    2007-11-21 17:57:00 0 d-------- C:\Program Files\Common Files
    2007-11-19 22:28:01 0 d-------- C:\Program Files\PeerGuardian2
    2007-11-19 19:37:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-19 19:22:57 0 d-------- C:\Documents and Settings\Matthew\Application Data\OpenOffice.org2
    2007-11-18 17:56:56 0 d-------- C:\Documents and Settings\Matthew\Application Data\Azureus
    2007-11-16 20:17:35 0 d-------- C:\Program Files\FlashGet
    2007-11-11 14:18:26 0 d-------- C:\Program Files\Guild Wars
    2007-11-08 15:41:13 0 d-------- C:\Program Files\陽射しの中のリアル
    2007-11-08 15:39:34 0 d-------- C:\Program Files\eMule
    2007-11-08 15:38:52 0 d-------- C:\Program Files\BrainWave Generator
    2007-11-08 15:37:48 0 d-------- C:\Program Files\IDoser v4
    2007-10-20 17:06:47 0 d-------- C:\Documents and Settings\Matthew\Application Data\Vidalia
    2007-10-20 16:57:07 0 d-------- C:\Documents and Settings\Matthew\Application Data\Tor
    2007-10-20 10:00:24 0 d-------- C:\Program Files\mIRC
    2007-10-12 18:00:02 0 d-------- C:\Program Files\OpenOffice.org 2.3
    2007-10-12 17:58:45 0 d-------- C:\Program Files\OpenOffice.org 2.0
    2007-10-12 17:55:48 0 d-------- C:\Program Files\Java


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
    11/19/2007 07:32 PM 114688 --a------ C:\Program Files\Vgsliunk\cimcymfw.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F02D978-0FF6-80F7-60BB-0426224AB7B3}]
    11/19/2007 06:37 PM 110592 --a------ C:\Program Files\wdrpuyag\sywxapur.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bbc2bf04-7400-4cc7-98a0-cd52e6bf40f8}]
    11/20/2007 05:04 PM 84544 --a------ C:\WINDOWS\system32\btuwpmyo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C705021C-9C43-40A4-A5CF-21A0AB7F4B24}]
    11/19/2007 08:37 PM 329824 --a------ C:\WINDOWS\system32\mljgf.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
    11/19/2007 06:08 PM 37376 --a------ C:\WINDOWS\system32\nnnonnn.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFDBD949-15F4-2E5A-8F58-31E6008F5894}]
    11/01/2007 07:44 AM 60928 --a------ C:\WINDOWS\system32\erbjfxt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/01/2005 03:07 PM]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/28/2005 05:26 PM]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/27/2005 08:55 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 AM]
    "Tbsa"="C:\PROGRA~1\COMMON~1\MCROSO~1.NET\wuauboot.exe" [11/21/2007 05:57 PM]

    C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{ED203331-9C33-49D8-8714-D24A366A04EC}"= C:\WINDOWS\system32\nnnonnn.dll [11/19/2007 06:08 PM 37376]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonnn]
    nnnonnn.dll 11/19/2007 06:08 PM 37376 C:\WINDOWS\system32\nnnonnn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32]
    wingdm32.dll 11/19/2007 06:08 PM 20992 C:\WINDOWS\system32\wingdm32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgf.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
    backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
    backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Freenet.lnk]
    path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Freenet.lnk
    backup=C:\WINDOWS\pss\Freenet.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
    path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\Kremlin Sentry.lnk
    backup=C:\WINDOWS\pss\Kremlin Sentry.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matthew^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
    C:\Program Files\HPQ\Default Settings\cpqset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    "C:\Program Files\D-Tools\daemon.exe" -lang 1033

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
    C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
    C:\Program Files\Norton Internet Security\UrlLstCk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
    "C:\Program Files\Vidalia\vidalia.exe"




    -- End of Deckard's System Scanner: finished at 2007-11-22 10:55:09 ------------
  6. 2007-11-23, 21:00 #16
    random/random
    random/random is offline
    Security Expert: Visiting Fellow
    Join Date
    Jul 2007
    Posts
    703

    Default

    Also the "C:\Program Files\COMMON files\MCROSO~1.NET\" folder was inside my "C:\Program Files\COMMON files\Microsoft.NET\MCROSO~1.NET\" folder. I don't need to delete the Msft.net folder and the wuauboot.exe it contains right? they are legitimate?
    It's a bad folder. You'll likely find that the I is actually a Cyrillic character that looks like an I

    • Open a new notepad window
    • Paste the list of files from the quote box below into the notepad window.
      C:\WINDOWS\system32\drvfatr.dll
      C:\WINDOWS\system32\drvfat.dll
      C:\WINDOWS\system32\iiffffg.dll
      C:\WINDOWS\system32\btuwpmyo.dll
      C:\WINDOWS\system32\fgjlm.ini2
      C:\WINDOWS\system32\mljgf.dll
      C:\WINDOWS\system32\erbjfxt.dll
      C:\WINDOWS\system32\rqropnl.dll
      C:\WINDOWS\system32\xlibgfl254.dll
      C:\Program Files\xloader10181.exe
      C:\Program Files\3269.exe
      C:\WINDOWS\system32\drvzet.dll
      C:\WINDOWS\system32\nnnonnn.dll
      C:\WINDOWS\system32\wingdm32.dll
    • Save this as vundofix.vft and Save as type "all files".
    • Double-click VundoFix.exe to run it.
    • Drag vundofix.vft onto the listbox (white box) of VundoFix.
    • Click the "Remove Vundo" button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules