Hello, I'm an absolute clueless newbie when it comes to adware. I have a lot of the adware killing programs, but it looks like Command Service is the only one that can never be deleted. Here's my log. Are any of you able to help me? Thanks to whoever can answer.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:24 PM, on 12/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1133882946\ee\AOLSoftware.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINNT\system32\lxcccoms.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\dsrss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Administrator\Desktop\Qoofix\Qoofix.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133882946\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [sys011601329257-] C:\WINNT\sys011601329257-.exe
O4 - HKLM\..\Run: [sys0301329257-16] C:\WINNT\sys0301329257-16.exe
O4 - HKLM\..\Run: [ms079257-160132] C:\WINNT\ms079257-160132.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O20 - Winlogon Notify: Setup - C:\WINNT\system32\gpjol3131.dll
O21 - SSODL: System - {CF5C9E86-EB5D-421A-8DAA-D2B31D0D72B4} - dgflib.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LXCCCustomerConnect - Unknown owner - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCserv.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINNT\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe












Once again, thanks.

Hi, welcome to Spybot!

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Oh, just fantastic. :(

For now, I'd like to know how to clean it of this trojan. Then I have to think about whether or not I'm going to re-format.

Thanks for the prompt answer, and hopefully priompt second answer.

Hi,

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.


*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


*Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run any other options except for Option # 1.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

On your next reply please post a fresh HijackThis log, combofix log and the smitfraudfix log.
:bigthumb:

Combofix:

Administrator - Sun 2006-12-31 1:16:00.48 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{0795FEBD-8CEB-4A0F-8CCD-C2EBD2E5EB89}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{0795FEBD-8CEB-4A0F-8CCD-C2EBD2E5EB89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{0795FEBD-8CEB-4A0F-8CCD-C2EBD2E5EB89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{0795FEBD-8CEB-4A0F-8CCD-C2EBD2E5EB89}\InprocServer32]
@="C:\\WINNT\\system32\\whw32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{DEBD5249-0C77-4D05-A3BC-AC76866A43C9}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DEBD5249-0C77-4D05-A3BC-AC76866A43C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{DEBD5249-0C77-4D05-A3BC-AC76866A43C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DEBD5249-0C77-4D05-A3BC-AC76866A43C9}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{AF9DA20E-7FA9-4B86-AD15-F303A21687EA}]
@=""

[HKEY_CLASSES_ROOT\clsid\{AF9DA20E-7FA9-4B86-AD15-F303A21687EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{AF9DA20E-7FA9-4B86-AD15-F303A21687EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{AF9DA20E-7FA9-4B86-AD15-F303A21687EA}\InprocServer32]
@="C:\\WINNT\\system32\\mlencode.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{8DC224F0-9014-4ECA-BA42-89129A7F1BF7}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{8DC224F0-9014-4ECA-BA42-89129A7F1BF7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{8DC224F0-9014-4ECA-BA42-89129A7F1BF7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{8DC224F0-9014-4ECA-BA42-89129A7F1BF7}\InprocServer32]
@="C:\\WINNT\\system32\\mkhtmled.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F462AD18-9B20-40D7-81E0-BF36B8E60C42}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F462AD18-9B20-40D7-81E0-BF36B8E60C42}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F462AD18-9B20-40D7-81E0-BF36B8E60C42}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F462AD18-9B20-40D7-81E0-BF36B8E60C42}\InprocServer32]
@="C:\\WINNT\\system32\\icaksie.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{E5A27C1C-57B7-4AD9-A9D6-A37B1C237902}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E5A27C1C-57B7-4AD9-A9D6-A37B1C237902}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{E5A27C1C-57B7-4AD9-A9D6-A37B1C237902}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E5A27C1C-57B7-4AD9-A9D6-A37B1C237902}\InprocServer32]
@="C:\\WINNT\\system32\\djcprop2.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{DA80580B-6233-441E-A81B-26E7D5B3FDDD}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DA80580B-6233-441E-A81B-26E7D5B3FDDD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{DA80580B-6233-441E-A81B-26E7D5B3FDDD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{DA80580B-6233-441E-A81B-26E7D5B3FDDD}\InprocServer32]
@="C:\\WINNT\\system32\\wccdlg.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\system32\dn0m01d1e.dll
C:\WINNT\system32\dnru0199e.dll
C:\WINNT\system32\e402ledo1h0c.dll
C:\WINNT\system32\en42l1ho1.dll
C:\WINNT\system32\en6ql1j51.dll
C:\WINNT\system32\ennsl1571.dll
C:\WINNT\system32\fpn4035qe.dll
C:\WINNT\system32\gp4ul3h91.dll
C:\WINNT\system32\gpjol3131.dll
C:\WINNT\system32\hp4023hmg.dll
C:\WINNT\system32\hr2205foe.dll
C:\WINNT\system32\hr4005hme.dll
C:\WINNT\system32\i860lijm18oa.dll
C:\WINNT\system32\jtjq0715e.dll
C:\WINNT\system32\jtp4077qe.dll
C:\WINNT\system32\kt64l7jq1.dll
C:\WINNT\system32\kt80l7lm1.dll
C:\WINNT\system32\ktlul7391.dll
C:\WINNT\system32\ktn4l75q1.dll
C:\WINNT\system32\l2n4lc5q1f.dll
C:\WINNT\system32\lv0409dqe.dll
C:\WINNT\system32\mepmsp.dll
C:\WINNT\system32\mlencode.dll
C:\WINNT\system32\mvjsl9171.dll
C:\WINNT\system32\mvnml9511.dll
C:\WINNT\system32\mvrql9951.dll
C:\WINNT\system32\p6p60g7se6.dll
C:\WINNT\system32\svrof32.dll
C:\WINNT\system32\wccdlg.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp_tobedeleted


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-11-31 to 2006-12-31 ))))))))))))))))))))))))))))))))))


2006-12-29 22:47 <DIR> d-------- C:\WINNT\system32\drv32dta
2006-12-28 22:06 <DIR> d-a------ C:\WINNT\system32\appmgmt
2006-12-26 00:19 119,442 --a------ C:\Documents and Settings\Administrator\gOhgkog.exe
2006-12-17 21:15 <DIR> d-------- C:\WINNT\MVUNINST
2006-12-17 21:15 <DIR> d-------- C:\Program Files\Memorex exPressit Label Design Studio
2006-12-17 21:15 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2006-12-12 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2006-12-12 14:39 <DIR> d-------- C:\Program Files\AIM6
2006-12-05 12:50 <DIR> d-a------ C:\WINNT\websvr
2006-12-05 12:49 34,304 --a------ C:\WINNT\dsrss.exe
2006-12-05 12:49 23,552 --a------ C:\WINNT\ieserver.exe
2006-12-04 18:52 <DIR> d-------- C:\Program Files\Opera
2006-12-04 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Opera
2006-12-02 12:20 82,432 --a------ C:\WINNT\system32\drmstor.dll
2006-12-02 12:20 301,712 --a------ C:\WINNT\system32\drmclien.dll
2006-12-02 11:28 <DIR> d-------- C:\Program Files\GetRight
2006-12-02 11:27 <DIR> d-------- C:\Downloads
2006-12-02 11:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2006-12-02 11:21 225,280 --a------ C:\WINNT\system32\wmpdxm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-31 01:15 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-30 19:11 -------- d-------- C:\Program Files\Lx_cats
2006-12-29 22:48 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-29 19:31 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-12-29 19:31 -------- d-a------ C:\Program Files\Common Files
2006-12-29 19:31 -------- d-------- C:\Program Files\Outlook Express
2006-12-29 19:31 -------- d-------- C:\Program Files\Common Files\System
2006-12-28 22:06 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-12-25 22:50 8192 --a------ C:\WINNT\rundll.exe
2006-12-15 17:27 -------- d-------- C:\Program Files\Common Files\zfoi
2006-12-12 20:37 507 --a------ C:\WINNT\vdwos.dll
2006-12-12 19:04 -------- d-------- C:\Program Files\Press Your Luck (BJ)
2006-12-12 14:41 -------- d-------- C:\Program Files\Common Files\AOL
2006-12-11 14:59 -------- d-------- C:\Program Files\iTunes
2006-12-08 11:33 -------- d-------- C:\Program Files\Trillian
2006-12-02 12:20 -------- d-------- C:\Program Files\Windows Media Player
2006-12-02 12:20 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-11-30 14:54 9216 --a------ C:\WINNT\system32\dgflib.dll
2006-11-07 15:17 -------- d-------- C:\Program Files\GamePack
2006-10-15 19:32 737280 --a------ C:\WINNT\iun6002.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"VTPreset"="VTPreset.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"LXCCCATS"="rundll32 C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\LXCCtime.dll,_RunDLLEntry@16"
"lxccmon.exe"="\"C:\\Program Files\\Lexmark 3300 Series\\lxccmon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AudioDeck"="C:\\Program Files\\VIA Technologies, Inc\\Audio Deck\\ADeck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133882946\\ee\\AOLSoftware.exe"
"KEMailKb"="C:\\PROGRA~1\\MICROI~1\\INTERN~1\\KEMailKb.EXE"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"sys011601329257-"="C:\\WINNT\\sys011601329257-.exe"
"sys0301329257-16"="C:\\WINNT\\sys0301329257-16.exe"
"ms079257-160132"="C:\\WINNT\\ms079257-160132.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"WinSysModule"="dsrss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.wwe.com/superstars/smackdown/eddieguerrero/photos1/36.jpg"
"SubscribedURL"="http://www.wwe.com/superstars/smackdown/eddieguerrero/photos1/36.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,7e,01,00,00,2c,01,00,00,c8,01,00,00,60,01,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,c8,01,00,00,60,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,7e,01,00,00,2c,01,00,00,c8,01,00,00,60,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"svbbc"="C:\\WINNT\\system32\\wipibs.exe reg_run"
"zfoi"="C:\\PROGRA~1\\COMMON~1\\zfoi\\zfoim.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"System"="{CF5C9E86-EB5D-421A-8DAA-D2B31D0D72B4}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-12-31 1:20:10.81
C:\ComboFix.txt ... 06-12-31 01:20
C:\ComboFix2.txt ... 06-12-31 01:13










SmitFraudFix v2.132

Scan done at 1:30:08.64, Sun 12/31/2006
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.wwe.com/superstars/smackdown/eddieguerrero/photos1/36.jpg"
"SubscribedURL"="http://www.wwe.com/superstars/smackdown/eddieguerrero/photos1/36.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

And finally, the Hijackthis log.




Logfile of HijackThis v1.99.1
Scan saved at 1:31:29 AM, on 12/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1133882946\ee\AOLSoftware.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\lxcccoms.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\dsrss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133882946\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [sys011601329257-] C:\WINNT\sys011601329257-.exe
O4 - HKLM\..\Run: [sys0301329257-16] C:\WINNT\sys0301329257-16.exe
O4 - HKLM\..\Run: [ms079257-160132] C:\WINNT\ms079257-160132.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O21 - SSODL: System - {CF5C9E86-EB5D-421A-8DAA-D2B31D0D72B4} - dgflib.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LXCCCustomerConnect - Unknown owner - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCCserv.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINNT\system32\lxcccoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Hi,

You didn't follow my instructions on how to move HijackThis to a permanent folder. Please do it so it'll be easier for us if ever we make any mistakes.

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

DO NOT USE IT YET!!

__________________________________________

*Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546). I recommend that you remove it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
Viewpoint
Viewpoint Manager
Viewpoint Media Player
If AOL is present, to prevent it from being recreated every time you run the AOL software: Open AOL
Go to Help on the toolbar
Select About AOL
Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

Reboot.

*You need To disable Trojan Hunter temporarily, it can stop our fix. Please Re-enable it after your system is clean.
Before we start please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select "Settings." Uncheck "Load at Startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [sys011601329257-] C:\WINNT\sys011601329257-.exe
O4 - HKLM\..\Run: [sys0301329257-16] C:\WINNT\sys0301329257-16.exe
O4 - HKLM\..\Run: [ms079257-160132] C:\WINNT\ms079257-160132.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: System - {CF5C9E86-EB5D-421A-8DAA-D2B31D0D72B4} - dgflib.dll (file missing)

Fix the following entry if you uninstalled viewpoint

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Close your browsers and all open windows except for HijackThis, then click "Fix checked".

Close HijackThis.

*Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.


REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"svbbc"=-
"zfoi"=-




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.

_________________________________________

*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Configure your machine to view hidden files:

Windows 2000
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.

*Using Windows Explorer, find and delete these files:

C:\Documents and Settings\Administrator\gOhgkog.exe
C:\WINNT\dsrss.exe
C:\WINNT\ieserver.exe
C:\WINNT\rundll.exe
C:\WINNT\system32\dgflib.dll
C:\WINNT\iun6002.exe
C:\WINNT\sys011601329257-.exe
C:\WINNT\sys0301329257-16.exe
C:\WINNT\ms079257-160132.exe
C:\WINNT\system32\wipibs.exe

*Click Start > Search > Click "All Files and Folders".
Under "Advanced Options", make sure the following are checked:
Search System Folders.
Search Hidden Files And Folders.
Search Subfolders.
Then into the search box, copy and paste the following (one at a time):

ctfmon.exe<<IMPORTANT:There is a legit ctfmon.exe found inside this folder: C:\WINNT\System32 . Delete only the ctfmon.exe found elsewhere besides that folder if there are any.

*Delete the following folders:

C:\WINNT\system32\drv32dta
C:\WINNT\system32\appmgmt
C:\Program Files\Common Files\zfoi

Delete the following folder if you uninstalled viewpoint:

C:\program files\viewpoint

Empty your recycle bin.
_______________________________________

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
________________________________________

I would like you to scan a few files for me.

Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:

C:\WINNT\vdwos.dll

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log, results of the jottiscan. Also, tell me if you found other ctfmon.exe besides the legit one then please give a description on how your machine is running.
:bigthumb:

FamicomJL, still with us?

This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.