View Full Version : First timer- smitfraud and other problems
jdmaxima89
2007-03-26, 22:54
Ok, so on my work computer for the past week, I've been having issues with Smitfraud-C. and the related toolbar. Other than misc. popups for ringtones on the computer, it wasn't a big deal, just annoying seeing it in spybot, deleting it, then it being there next time I ran it. I read the stickies and downloaded the smitfraud removal thing, and it SEEMS to have taken care of that. I also downloaded Ad Aware- ran it, then deleted the quarantined items. :oops: Now whenever I boot up my computer, first thing that happens is this error
"RUNDLL: Error loading c:\WINDOWS\xxxvwu.dll The specified module could not be found."
I was also having an issue with another error popping up saying
"qbupdate.exe: unable to locate component. This application has failed to start because MFC71.dll was not found. Re-installing the application may fix this problem"
My friend sent me a copy of that file for QuickBooks, and now that error went away.
I'm also getting consistent Spybot problems for
Avenue A, Inc.
MediaPlex
Zlob.IERedir
I have spybot fix them, reboot, and they are back again... What are all my problems? I will give you the reports for Spybot and HJT in the next post (i'm on my laptop right now, have to switch to the work computer)
jdmaxima89
2007-03-26, 23:00
Logfile of HijackThis v1.99.1
Scan saved at 3:55:31 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://parts.tecumsehpower.com/
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {388315d1-92bc-4108-aa98-53aefd73e6a4} - C:\WINDOWS\system32\appind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp26.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\xxxvwu.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://parts.tecumsehpower.com/install/PMSImage.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} (pcval Control) - https://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166560941910
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172092756046
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: appind - C:\WINDOWS\SYSTEM32\appind.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v2 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBPOS Database Extended Manager (QBPOSDBExtServices) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 5.0\DatabaseServer\QBPOSDBServiceEx.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
jdmaxima89
2007-03-26, 23:00
Do you need the spybot report? It is uber long.
jdmaxima89
2007-03-27, 14:21
Morning bump- on my way to work, hoping to get this fixed today!!! Thank you!
jdmaxima89
2007-03-27, 17:32
I noticed some other people are being told to download AVG Anti-spyware... and since I'm not getting any responses I figured I'd try it too... but I'm not sure if it's stuck in the update or not. It's said "Downloading updates, receive data..." for about 15 minutes and there is no sign of anything going on. Whatever information you guys have would be greatly appreciative, and I can be very responsive on any reports you need, because this is a work computer and I need it fixed ASAP!!!! Thanks;)
Hello.
Please do read our sticky topics which, (among other things) ask members not to bump their posts as it could delay assistance.
"BEFORE you POST" Mandatory Steps Before Requesting Assistance (http://forums.spybot.info/showthread.php?t=288)
If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
When you say it is a work computer, is there an IT person?
Regards.
jdmaxima89
2007-03-27, 18:41
I apolagize for the bump this morning... I guess I didn't see that when I read the stickies... I'm just trying to get this figured out. Also about it being a work computer... this is a branch store from our main one, and only one computer and one employee (myself) using this computer, making me the IT person lol.
And here is the fresh HJT and Pandascan.
Logfile of HijackThis v1.99.1
Scan saved at 11:34:00 AM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://parts.tecumsehpower.com/
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {388315d1-92bc-4108-aa98-53aefd73e6a4} - C:\WINDOWS\system32\appind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp26.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\xxxvwu.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://parts.tecumsehpower.com/install/PMSImage.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} (pcval Control) - https://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166560941910
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172092756046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: appind - C:\WINDOWS\SYSTEM32\appind.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v2 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBPOS Database Extended Manager (QBPOSDBExtServices) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 5.0\DatabaseServer\QBPOSDBServiceEx.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PANDASCAN===============================================
Incident Status Location
Virus:Trj/KillAV.FG Disinfected Operating system
Virus:trj/abwiz.a Disinfected Operating system
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERT_0001_D19M2109NetInstaller.exe
Virus:trj/briz.f Disinfected Operating system
Virus:W32/NuWar.AL.worm Disinfected C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temporary Internet Files\Content.IE5\4HE7GDMN\sc[1].exe
Virus:Trj/Alanchum.TW Disinfected C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temporary Internet Files\Content.IE5\812VSLEZ\via[1].exe
Virus:Trj/Alanchum.TW Disinfected C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temporary Internet Files\Content.IE5\812VSLEZ\via[2].exe
Virus:W32/NuWar.AL.worm Disinfected C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temporary Internet Files\Content.IE5\8XENKHIB\sm[1].exe
Virus:W32/NuWar.AL.worm Disinfected C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temporary Internet Files\Content.IE5\WDYF01MV\dd[1].exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\savoyshop\Application Data\Mozilla\Firefox\Profiles\dbcssqdv.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\savoyshop\Cookies\savoyshop@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\savoyshop\Cookies\savoyshop@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\savoyshop\Cookies\savoyshop@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\savoyshop\Cookies\savoyshop@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\savoyshop\Cookies\savoyshop@questionmarket[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\savoyshop\Local Settings\Temp\Temporary Internet Files\Content.IE5\WLN3Q5KR\ffa_dn_20070322[1]
Virus:Trj/KillAV.FG Disinfected C:\Program Files\Common Files\Symantec Shared\ccApp.exe1174934001
Virus:Trj/KillAV.FG Disinfected C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
Virus:Trj/KillAV.FG Disinfected C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Virus:Trj/KillAV.FG Disinfected C:\WINDOWS\system32\adirss.exe
Virus:W32/NuWar.AL.worm Disinfected C:\WINDOWS\system32\bak\adirss.exe
Virus:W32/NuWar.AL.worm Disinfected C:\WINDOWS\system32\bak\lnwin.exe
Virus:Trj/KillAV.FG Disinfected C:\WINDOWS\system32\bak\lsasss.exe
Virus:Trj/Conhook.BH Disinfected C:\WINDOWS\system32\ddayvvv.dll
Virus:Trj/Qhost.EV Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070226-125618.backup
Virus:Trj/KillAV.FG Disinfected C:\WINDOWS\system32\lnwin.exe
Virus:Trj/Alanchum.TW Disinfected C:\WINDOWS\system32\ma.exe.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
jdmaxima89
2007-03-28, 23:29
Just and update- I've gone nowhere on this computer that I shouldn't have, and somehow the smitfraud toolbar is back :( let me know what you guys need from me.
Hello jdmaxima89 and welcome to the Forums :)
Sorry for the wait...
You're quite nicely infected....
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
=======
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
jdmaxima89
2007-03-29, 19:55
Now I've got a big problem (I'm posting from my personal laptop now)
I ran vundofix... and it rebooted... but now it will go all the way up to windows is starting up, then i can click the username, it loads the personal settings, then clicks off... every time. Reboots on it's own, and the cycle continues... so now what!!! :alien:
Are you able to restart the computer in safe mode?
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Let me know and post a fresh HijackThis log from the Safe Mode if possible :bigthumb:
jdmaxima89
2007-03-29, 20:57
It will start up in safe mode, and I ran a new HJT log, but for some reason the internet isn't working now "on that computer"..... and I don't have any blank cd's, or a flash drive here at the store. :( Unless you can think of anything else... that'll have to wait till tomorrow
jdmaxima89
2007-03-29, 21:30
haha... safemode with networking works online
New HJT
Logfile of HijackThis v1.99.1
Scan saved at 1:53:58 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://parts.tecumsehpower.com/
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {388315d1-92bc-4108-aa98-53aefd73e6a4} - C:\WINDOWS\system32\appind.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp36.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\ssqrol.dll",setvm
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://parts.tecumsehpower.com/install/PMSImage.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} (pcval Control) - https://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166560941910
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172092756046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v2 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\savoyshop\ie_updater.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBPOS Database Extended Manager (QBPOSDBExtServices) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 5.0\DatabaseServer\QBPOSDBServiceEx.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
jdmaxima89
2007-03-29, 21:39
Ok... it still randomly shuts off in safe mode... but here is the rest of what you wanted.
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\WINDOWS\BAK
01/30/2007 01:26 PM 50,688 ieredir.exe
1 File(s) 50,688 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
03/15/2007 02:21 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
12/20/2006 01:48 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
03/26/2007 11:52 AM 58,542 adirka.exe
1 File(s) 58,542 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
02/08/2005 11:05 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 02:20 PM 59,040 ccApp.exe
1 File(s) 59,040 bytes
Directory of C:\PROGRA~1\COMPAQ\SETREF~1\BAK
11/20/2003 01:01 PM 525,824 SetRefresh.exe
1 File(s) 525,824 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
05/12/2005 12:12 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
50688 Jan 30 2007 "C:\WINDOWS\bak\ieredir.exe"
282624 Mar 15 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Dec 20 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
58542 Mar 26 2007 "C:\WINDOWS\system32\bak\adirka.exe"
339968 Feb 8 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
525824 Nov 20 2003 "C:\Program Files\Compaq\SetRefresh\bak\SetRefresh.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
end of report
VundoFix V6.3.18
Checking Java version...
Scan started at 12:45:23 PM 3/29/2007
Listing files found while scanning....
C:\WINDOWS\system32\appind.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\appind.dll
C:\WINDOWS\system32\appind.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hello :)
You have an infection which replaces clean files with bad ones. At firts we'll do some cleaning.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Still with us jdmaxima89? :)
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.