ok,in my attempts to help a friend I have become sucked into the smitfraud maelstrom! HALP! Have done the following:
downloaded/installed//updated/run Spybot 1.4
ditto BFU
ditto AVG antispyware
ditto VUNDO
ditto ATF
ditto adaware
have tried to run an online antivirus but it wont start. Have downloaded the kaspersky trial application but not able to get it to install. nor Norton anivirus.
Am ready to open a vein! Lifesaver anyone? (whimper)

Hi wardawg.

Let's get you on the road to assistance. ;) Please see this topic: "BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288) and try to produce a HJT log using the version requested.

Copy and paste the log into this topic, and a helper will advise you as soon as available.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:50 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: HP5649A2 HP0018715649A2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp1F4.tmp.dll (file missing)
O2 - BHO: (no name) - {3095F640-63A5-437E-F041-69E348E0FA9A} - C:\WINDOWS\system32\xkvouco.dll (file missing)
O2 - BHO: (no name) - {3fa526d0-8c4e-4017-88fb-d4d3ad62450a} - C:\WINDOWS\system32\dosclb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll (file missing)
O2 - BHO: (no name) - {914D7314-ECAC-C52C-F3D4-B0DECBB70BC2} - C:\WINDOWS\system32\gkmimshg.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmp1.tmp.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/135p/html/gtdownlr.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: dLszhSfZGLWNO - {B8CAC59F-1260-6F35-4E0B-5A6EA5FB65A1} - C:\WINDOWS\system32\edwg.dll (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Hello and sorry for the wait. :sad:

If you are still in need of assistance see this sticky: If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

hi wardawg,

ive never seen some of those entries before. we can give it a try: i would use the computer as little as possible unitl cleaned up, if you have a cable modem disconnect it when not in use.
-----------------------------------
before using hjt disable all running real time protection like AVG guard and tea timer:

Launch AVG Anti-Spyware and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
---------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R3 - Default URLSearchHook is missing

O1 - Hosts: HP5649A2 HP0018715649A2

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp1F4.tmp.dll (file missing)

O2 - BHO: (no name) - {3095F640-63A5-437E-F041-69E348E0FA9A} - C:\WINDOWS\system32\xkvouco.dll (file missing)

O2 - BHO: (no name) - {3fa526d0-8c4e-4017-88fb-d4d3ad62450a} - C:\WINDOWS\system32\dosclb.dll

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)

O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt

O21 - SSODL: dLszhSfZGLWNO - {B8CAC59F-1260-6F35-4E0B-5A6EA5FB65A1} - C:\WINDOWS\system32\edwg.dll (file missing)
--------------------------
go to start>run and type in: services.msc the service panel opens, under the name column see if you see IESet listed.
-------------------------
do a scan with avg and save the report:
Click on scanner.
-->Run a full system scan
-->ewido(AVG) will scan.
-->While the scan is in progress you will be prompted to clean files, click OK.
Select Perform action on all infections
-->Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
-->Click Save report.
Save the report to your desktop.
-------------------------
next run vundofix once.

please post:
a new hjt report
the avg report

shelf life

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:46:27 PM 5/10/2007

+ Scan result:



Nothing found.


::Report end

HIJACK HIS report:
Logfile of HijackThis v1.99.1
Scan saved at 8:29:21 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\efcayx.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/135p/html/gtdownlr.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


please note...i have only the trial version of AVG so i never saw the "real time" component you mentioned to turn off. Tea timer was already turned off and I booted to safe mode with networking to run these scans. Did not run spybot nor adaware yet. Have plenty of fuzzy animals for sacrificing if it helps!!! (just kidding)

hi,

thanks for the info. well the log looks better. avg found nothing, always a good sign.

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\efcayx.dll",realset

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
--------------------------
the guard component of avg becomes disabled after 30 days unless purchased, but still can update/scan with it.
no need for sacrificing anything yet, maybe later-- afew politicians would be better.
---------------------------
do another scan with hjt in normal mode please and post those results.

shelf life

Shelf, let me take a moment to thank you and the others of the Spybot family to help out. Im thinking Im back to square one with this laptop and Ill splain why....the work Ive been doing has been in Safe Mode with networking with me using the admin account. This account never appears as an option when booting normally. The account the owner of the system uses has admin privs but is not the Admin account...it's called "owner". I booted the laptop yesterday after having done all the steps Ive been given. This time, though, I used the owner account. I thought the machine was clean at this point so off to take a test drive...WRECK! The problem this pc originally had was the infamous 60 second countdown. It use to reference the DCOM service but now is referencing the RPC service has shutdown and mchine must restarrt...or whatever. My question is this....all the cleaning, cursing, praying, and crying Ive been doing on the system....is it not cleaning ALL problems with ALL profiles?
Oh, as an fyi...I have had the system restore turned off this entire time...So how could the system get re-infected when all this effort has been made?

<whimper>

Dave:oops:

hi wardawg,

glad to help.
dont worry about system restore, just leave it off for now. the shutdown problem dosnt always mean its caused by malware. it could be hardware related.
but in both cases DCOM/RPC could be caused by the blaster worm, but it looks like your updated/patched with SP2

is the antivirus up to date on the computer?if you can boot into the owner account or any account run the antivirus. also run avg antispyware again

does msg look like whats in attachment?

see this link about blaster worm:

http://www.mvps.org/marksxp/WindowsXP/rpc.php

shelf life

logged in as owner and ran AVG. it found 3 instances of downloader infections and cleaned them as well as Spysheriff. Also found reference to sasser (lsasss.exe) was referenced in registry and msconfig.

hi wardawg,

ok thanks for the info. there is a download removal tool here you can run if you want:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99

--------------------
you can do a online scan also here:
Panda ActiveScan

http://www.pandasoftware.com/products/activescan.htm

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send (use a fake e-mail)
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Hey Shelf,
I appreciate all your time and input but the owner of the computer became frustrated......regardless of the hundreds of items detected during the course of your and my work. So, the laptop has been returned to her per her request. Functioning much better than when I began and protected by AVG...for 30 days anyhow, spybot and others. You have my sincere thanks and appreciation for the time you devoted to assisting me and I will be making a contribution to the cause very shortly. Props to you and others in the spybot family!!!
:bigthumb:

Regards,

Dave

hi wardawg,

thanks. glad to try and help.

shelf life