View Full Version : yayxx.dll
Hello all, I have been doing a lot of work trying to get rid of this virus with no luck, if ne1 can help me I would really appreciate it. I've followed all the instructions required before posting and here are my logs one of which is from Panda and the other HJT.
TIA.
Incident Status Location
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ldA512.tmp
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\CBXVTTQ.DLL
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\CBXVTTQ.DLL( 1)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\cbxvttq.dll( 2)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\CBXVTTQ.DLL( 4)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\CBXVTTQ.DLL( 5)
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\32msztux.default\cookies.txt[.zedo.com/]
Virus:Trj/Mitglieder.BO Not disinfected C:\Documents and Settings\Me\Application Data\Thunderbird\Profiles\default\z7g2h418.slt\Mail\pop.abs.adelphia.net\Inbox[543.rar][dddd.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Me\Desktop\backups\backup-20070225-173830-567.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Me\Desktop\backups\backup-20070225-185847-352.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Me\Desktop\backups\backup-20070225-190226-840.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Me\Desktop\backups\backup-20070301-220054-861.dll
Potentially unwanted tool:Application/Pskill.K Not disinfected C:\Documents and Settings\Me\Desktop\bin\pskill.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Me\Desktop\VundoFix\VundoFix\process.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\acxpefnm.dll
Potentially unwanted tool:Application/Processor Not disinfected D:\Downloads\Scanned\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\Downloads\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/Pskill.K Not disinfected D:\DVDTools\bin\pskill.exe
Potentially unwanted tool:Application/Pskill.K Not disinfected D:\DVDTools\pgcedit.exe[Tcl/work/PGCEDIT/bin/pskill.exe]
__________________________
Logfile of HijackThis v1.99.1
Scan saved at 1:54:56 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Documents and Settings\Me\Desktop\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43149305-FB38-4A1A-AE45-C6B6AF05EC0A} - C:\WINDOWS\system32\yayxx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\Program Files\FlashCapture\fcbho.dll
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: cbxvttq - cbxvttq.dll (file missing)
O20 - Winlogon Notify: yayxx - C:\WINDOWS\system32\yayxx.dll (file missing)
O20 - Winlogon Notify: yayyy - C:\WINDOWS\system32\yayyy.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
pskelley
2007-03-04, 14:56
Welcome to the forum, I can see you may have done considerable damage to these infections, which look to be at the very least Virtumonde and probably Smitfraud because I see this junk: spywarequake.
We need to find out what is left, TeaTimer and WinPatrol will try to block changes we must make, so I want you to turn them off anytime you are running fixes, here are the instructions to do that:
TeaTimer: http://russelltexas.com/malware/teatimer.htm
WinPatrol: Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.
Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
Now I want you to remove all tools you downloaded for your work, I may need them again or I may not, if I do I want them downloaded fresh and from where I say to download from. Make sure you delete:
C:\!KillBox\ <<< and everything in it.
C:\Documents and Settings\Me\Desktop\backups\ <<< whatever that is, delete it.
smitRem.exe <<< delete all that is on the computer. Once everything you downloaded and what I just mentioned is done, then move to instructions.
Instructions: Make sure TeaTimer and WinPatrol are disabled, they will block us!
1) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfaudfix from this link and follow only these directions:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
2) Understand that Vundofix may not know all of the junk (if it finds any) but it will learn. You need to run it until it indicates that all of the junk it finds "Has been deleted"
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Restart the computer, post the C:\Report.txt from Smitfruadfix, the vundofix.txt and a new HJT log. Use Post Reply, stay in this same topic and add any comments you think will help.
I suggest you keep the computer offline as much as possible until we have it clean, there will be more to do.
Thanks
Ok I've done all that you had requested and here are the logs:
_________________
SmitFraudFix v2.147
Scan done at 9:50:19.74, Sun 03/04/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Me
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Me\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Me\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{89aef01d-d237-49c7-84dc-4e1904c1fd31}"="AutoDisc Ware"
[HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINDOWS\System32\sbnudh.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINDOWS\System32\sbnudh.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
_____________________________
VundoFix V6.3.12
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 9:53:39 AM 3/4/2007
Listing files found while scanning....
C:\WINDOWS\system32\acxpefnm.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\baadd.ini
C:\WINDOWS\system32\ddaab.dll
C:\WINDOWS\system32\mnfepxca.ini
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\yayxx.dll
C:\WINDOWS\system32\yayyy.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\acxpefnm.dll
C:\WINDOWS\system32\acxpefnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtsp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\baadd.ini
C:\WINDOWS\system32\baadd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddaab.dll
C:\WINDOWS\system32\ddaab.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnfepxca.ini
C:\WINDOWS\system32\mnfepxca.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini Has been deleted!
Performing Repairs to the registry.
Done!
___________________________
Logfile of HijackThis v1.99.1
Scan saved at 10:23:35 AM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43149305-FB38-4A1A-AE45-C6B6AF05EC0A} - C:\WINDOWS\system32\yayxx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\Program Files\FlashCapture\fcbho.dll
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: cbxvttq - cbxvttq.dll (file missing)
O20 - Winlogon Notify: yayxx - C:\WINDOWS\system32\yayxx.dll (file missing)
O20 - Winlogon Notify: yayyy - C:\WINDOWS\system32\yayyy.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
pskelley
2007-03-04, 18:08
Thanks, you did indeed have additional Smitfraud infection, I will post the cleanup information in just a moment. You are also running out of date Java programs, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
chances are Vundo infected you using exploits in the old programs. Download the newest version and uninstall all old version in Add Remove programs.
With TeaTimer and WinPatrol turned off, follow these directions carefully.
1) http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {43149305-FB38-4A1A-AE45-C6B6AF05EC0A} - C:\WINDOWS\system32\yayxx.dll (file missing)
O20 - Winlogon Notify: cbxvttq - cbxvttq.dll (file missing)
O20 - Winlogon Notify: yayxx - C:\WINDOWS\system32\yayxx.dll (file missing)
O20 - Winlogon Notify: yayyy - C:\WINDOWS\system32\yayyy.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the C:\report.txt from Smitfraudfix, a new HJT log and your comments. How is the computer running now?
Thanks
Ok, I haven't checked it out as far as speed or anything, I will let you know . . .
Here are the new logs:
______________________
SmitFraudFix v2.147
Scan done at 13:21:39.60, Sun 03/04/2007
Run from C:\Documents and Settings\Me\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
______________________________
Logfile of HijackThis v1.99.1
Scan saved at 1:34:59 PM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Me\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\Program Files\FlashCapture\fcbho.dll
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
___________________________________
I had forgotten to save the HJT log so I ran it again and saved it and to my surprise, I believe it is CLEAN:bigthumb:
Tell me what you think?
There sure is or was a lot to do to get rid of this.
So, if that is it, I still have to re-install Java, and re-set the tea timer.
pskelley
2007-03-04, 19:48
Yep, I would say you are good to go:bigthumb: Just a little more to do. Clean the System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you need some help speeding the computer up, look here:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks so much for the help. . . I was really getting upset with this one.
:2thumb:
pskelley
2007-03-05, 12:36
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks