View Full Version : need help with smit and spyware bot
hello all. I am in need of some help. I have ran spybot 4 times and i still have the smit tool888 and a new one called spyware bot. I have tried to read the forums on how to get his off but i am not understanding it. Is there anyone that can help me step by step on how to remove this. I am also getting alot of pop ups. Is this the problem. I am running windows 2000
Thanks in advance for any help i can get
Hello.
Please see the procedure for this forum: "BEFORE you POST" Mandatory Steps Before Requesting Assistance (http://forums.spybot.info/showthread.php?t=288)
Copy the information requested into this topic, and a helper will advise you when available.
Cheers.
ok thank you for pointing me in the correct direction
i ran the anti virus i am hoping this is what you needed from there
United States - English [Change]
Search Form
All of CA About Us Education Insights News and Events Partners Products Security Advisor Small and Medium Business Solutions
How to Buy
Insights
Thought Leadership Success Stories White Papers On-Demand Webcasts Blogs Podcasts Partners
Channel Partners Service & Consulting Partners OEM Partners Strategic Alliances Partner Locator Partner Portal Support
Technical Support Service Center User Groups Security Advisor Education
Courses Learning Options Learning Paths Business Solutions Certification Policies Promotions Partners Solutions
ITIL EITM Capability Solutions Industry Solutions Mainframe Services Products
Product Categories
Application Development & Databases Application Performance Management Database Management Infrastructure & Operations Management IT Service & Asset Management Project, Portfolio & Financial Management Security Management Storage & Information Management Product List Trials Demos Special Offers Home > Support > Security Advisor
View my documents (0)
This scanner requires a browser such as Internet Explorer which is capable of rendering ActiveX objects. Start Scan
Stop Scan
Cure Files
Delete Files
Reply email address for the file submission: Scanner Help
Virus scan finished. 80 viruses found.
Scan Results: 107545 files scanned. 80 viruses were detected.
File Infection Status Path
cmpg_22-inst[10] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[11] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[12] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[13] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[14] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[15] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[16] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[1] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[2] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[3] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[4] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[5] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[6] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[7] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[8] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[9] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\
cmpg_22-inst[10] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[11] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[12] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[13] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[14] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[15] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[16] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[17] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[18] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[19] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[1] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[20] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[21] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[22] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[23] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[2] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[3] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[4] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[5] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[6] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[7] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[8] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[9] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPMNOH6R\
cmpg_22-inst[10] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[11] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[12] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[13] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[14] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[15] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[16] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[17] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[1] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[2] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[3] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[4] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[5] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[6] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[7] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[8] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[9] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\
cmpg_22-inst[10] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[11] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[12] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[13] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[14] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[15] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[16] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[17] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[18] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[19] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[1] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[20] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[21] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[22] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[2] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[3] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[4] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[5] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[6] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[7] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[8] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
cmpg_22-inst[9] Win32/Rlsloup infected, no cure C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP2JG5UN\
dxcmdsbq.dll Win32/Vundo!generic infected C:\WINNT\system32\
jkkkj.dll Win32/Vundo!generic infected C:\WINNT\system32\
BUY
CA Anti-Virus
Large Enterprise
Small and Medium Business
Home and Home Office
SECURITY ADVISOR
Current threat condition:
Low
Documents and Tools
Scan for viruses
Download Signature Files
Receive threat advisories
Install threat dashboard
Submit a sample
Virus encyclopedia
Browse glossary
Visit document center
FIND THREATS
Viruses Spyware
Vulnerabilities News
PAGE TOOLS
Print
Email
Rate
About Us | News and Events | Contact Us | RSS Feeds Sitemap | Privacy | Legal | Copyright © 2007 CA
Ok then i went into safe mode and ran spybot. It would not remove the smit one.
here is the hjy report also i beleive
Logfile of HijackThis v1.99.1
Scan saved at 5:21:09 PM, on 5/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjkthis\HijackThis.exe
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\lejyemhu.dll",realset
O4 - HKCU\..\Run: [A00F6CBCE.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6CBCE.exe
O4 - HKCU\..\Run: [A00F6D058.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D058.exe
O4 - HKCU\..\Run: [A00F6D062.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D062.exe
O4 - HKCU\..\Run: [A00F6DD36.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6DD36.exe
O4 - HKCU\..\Run: [A00F7D558.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F7D558.exe
O4 - HKCU\..\Run: [A00F812EA.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F812EA.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.sparkpea.net/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DFD98C-1D4B-4372-A353-364F589D1CF8}: NameServer = 209.225.8.42,209.225.8.43
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\User\ie_updater.exe (file missing)
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
Am i moveing in the right direction
I am also getting very bad popups and some buffer errors and a C++ error is this all connected to this dang thing
Also i am not getting a new error when i surf. I can only be online for about 10 minutes and then i get the following error.
Buffer overrun detected
c:\\ wintt/explorer.EXE
is there anything else i need to do right now???? still having trouble with the wintt error
pskelley
2007-05-18, 14:52
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
You would benefit greatly by taking the time to read and follow the directions. When you keep adding to your post, as is explained in the directions, your chance of being helped lessens. Helpers are volunteers, and work many forums, no one is waiting for you to post, when we stop in we look for 0 in the post count, knowing that member has not been helped.
You have some problems, including this backdoor trojan:
ieupdater21 (Microsoft IEUpdater21) X ie_updater.exe Added by a variant of the Troj/Bckdr-QGB TROJAN! Note: This worm\trojan is located in %userprofile%\
http://www.sophos.com/security/analyses/trojbckdrqgb.html
I would read all about that worm were I you, and while I am not certain what this one is after, you need to view this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
You also have a marker that indicates you probably have a Vundo infection which is hard to remove. I need to start by collecting some information and I strongly suggest you keep this computer offline until it is clean to deny the hackers access. (except when troubleshooting)
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
2) C:\hjkthis\HijackThis.exe <<< return here and rename HJT.exe, call it Stick56.exe or whatever you wish.
3) When you post information about error message, I need those messages posted "word for word".
4) C:\DOCUMENTS & SETTINGS~1\User\LOCALS~1\Temp\ <<< navtigate to that TEMP folder and delete the contents (not the folder)
Restart the computer and post any information I requested, the uninstall list and a new HJT log.
Thanks
Ok tried to save the list to my desk top However whenever i did that it just went away so i am typing you the list
1.
Adobeflash player 9 activeX
adobe reader 8
hjkthis 1.99.1
Mccafee Security center
Mccaffe Virus scan
microsoft Internet Exploer 6 SP1
Outerinfo
Sybot - search and destroy 1.4
Symantec Ghost console client
Windows 2000 hotfix - KB842773
Windows installer 3.1 (kb893803)
2.
Did it
3.
Have not recieved error mssg. Will make a note of it for later
4. Tried this but there is no local under user I am using windows 2000 if that makes any diference. I did clear out temp internet files
And here is my new hjk log
Logfile of HijackThis v1.99.1
Scan saved at 4:29:55 PM, on 5/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\wuauclt.exe
C:\hjkthis\stick56.exe.exe
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B1CD727-3D75-458C-8767-F2E2D1A4BF49} - C:\WINNT\system32\nnlki.dll
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\qomjihi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINNT\system32\mtgwfdfo.dll
O2 - BHO: (no name) - {AF4FEBBB-FD93-4980-AAE1-E04AA5C5521A} - C:\WINNT\system32\jkkkj.dll (file missing)
O2 - BHO: (no name) - {B55A0288-57BE-4B5C-B5C6-97E59F28ACFf} - C:\WINNT\system32\ojswxjud.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [A00F6CBCE.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6CBCE.exe
O4 - HKCU\..\Run: [A00F6D058.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D058.exe
O4 - HKCU\..\Run: [A00F6D062.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D062.exe
O4 - HKCU\..\Run: [A00F6DD36.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6DD36.exe
O4 - HKCU\..\Run: [A00F7D558.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F7D558.exe
O4 - HKCU\..\Run: [A00F812EA.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F812EA.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178936218907
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.sparkpea.net/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DFD98C-1D4B-4372-A353-364F589D1CF8}: NameServer = 209.225.8.42,209.225.8.43
O20 - Winlogon Notify: nnlki - C:\WINNT\system32\nnlki.dll
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
O20 - Winlogon Notify: urqrqnl - urqrqnl.dll (file missing)
O20 - Winlogon Notify: wvwxv - C:\WINNT\system32\wvwxv.dll (file missing)
O20 - Winlogon Notify: __c007F4F8 - C:\WINNT\system32\__c007F4F8.dat (file missing)
O20 - Winlogon Notify: __c008143D - C:\WINNT\system32\__c008143D.dat (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
pskelley
2007-05-19, 00:18
Thanks for returning your information and the feedback. Are you sure that is the complete uninstall list? If you ran it after you renamed HJT and rebooted, it may run better, the Vundo infection might be blocking it.
One way or another, this: Outerinfo is nasty adware related to PurityScan, uninstall it. Here is an uninstaller if that does not work:
UNINSTALLER
http://www.outerinfo.com/OiUninstaller.exe
TUTORIAL
http://www.outerinfo.com/howto.html
One of the main reason I ask for the uninstall list is so I can see the Java version before running Vundofix?
Make sure hidden files and folders are enabled for your Operating System.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I do not work on 2M often and those files may be hidden?
In number four (4) it really makes no difference what Operating System you are running, here is the pathway to the Temp folder:
C:\DOCUMENTS & SETTINGS~1\
User\
LOCALSETTINGS~1\
Temp\
_A00F6CBCE.exe <<< unless you know what those files are, we are going to have to remove them. You have it in your log multiple times. Navigate to that TEMP folder and delete the contects.
Google returns nothing so I assume the files are malware, you can scan them here if you wish:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Please read and follow the directions carefully, this is a tough infection to remove.
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislog
in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks
1.
I have deleted outer inferno
2. i was able to find all hidden files
3. here is the unistall list i was finally able to get it to the desktop
Adobe Flash Player 9 ActiveX
Adobe Reader 8
HijackThis 1.99.1
McAfee SecurityCenter
McAfee VirusScan
Microsoft Internet Explorer 6 SP1
Spybot - Search & Destroy 1.4
Symantec Ghost Console Client
Windows 2000 Hotfix - KB842773
Windows Installer 3.1 (KB893803)
4. here is the vundo logs
VundoFix V6.3.21
Checking Java version...
Sun Java not detected
Scan started at 7:52:37 PM 5/11/2007
Listing files found while scanning....
C:\WINNT\system32\afkockww.dll
C:\WINNT\system32\eyiogoxl.dll
C:\WINNT\system32\ixvivlgr.dll
C:\WINNT\system32\jkkkj.bak1
C:\WINNT\system32\jkkkj.bak2
C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini2
C:\WINNT\system32\jkkkj.tmp
C:\WINNT\system32\rglvivxi.ini
C:\WINNT\system32\urqrqnl.dll
C:\WINNT\system32\wefgejeu.dll
C:\WINNT\system32\wvwxv.dll
C:\WINNT\system32\wwkcokfa.ini
Beginning removal...
Attempting to delete C:\WINNT\system32\afkockww.dll
C:\WINNT\system32\afkockww.dll Has been deleted!
Attempting to delete C:\WINNT\system32\eyiogoxl.dll
C:\WINNT\system32\eyiogoxl.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ixvivlgr.dll
C:\WINNT\system32\ixvivlgr.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\jkkkj.bak1
C:\WINNT\system32\jkkkj.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\jkkkj.bak2
C:\WINNT\system32\jkkkj.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini Has been deleted!
Attempting to delete C:\WINNT\system32\jkkkj.ini2
C:\WINNT\system32\jkkkj.ini2 Has been deleted!
Attempting to delete C:\WINNT\system32\jkkkj.tmp
C:\WINNT\system32\jkkkj.tmp Has been deleted!
Attempting to delete C:\WINNT\system32\rglvivxi.ini
C:\WINNT\system32\rglvivxi.ini Has been deleted!
Attempting to delete C:\WINNT\system32\wefgejeu.dll
C:\WINNT\system32\wefgejeu.dll Has been deleted!
Attempting to delete C:\WINNT\system32\wwkcokfa.ini
C:\WINNT\system32\wwkcokfa.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Sun Java not detected
Scan started at 8:05:16 PM 5/11/2007
Listing files found while scanning....
C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini2
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini Has been deleted!
Attempting to delete C:\WINNT\system32\jkkkj.ini2
C:\WINNT\system32\jkkkj.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Sun Java not detected
Scan started at 8:15:40 PM 5/11/2007
Listing files found while scanning....
C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\jkkkj.dll
C:\WINNT\system32\jkkkj.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\jkkkj.ini
C:\WINNT\system32\jkkkj.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 6:41:44 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\fibrdgus.dll
C:\WINNT\system32\iklnn.bak1
C:\WINNT\system32\iklnn.bak2
C:\WINNT\system32\iklnn.ini
C:\WINNT\system32\nnlki.dll
C:\WINNT\system32\qofjywev.ini
C:\WINNT\system32\sugdrbif.ini
C:\WINNT\system32\vewyjfoq.dll
C:\WINNT\system32\wvwxv.dll
C:\WINNT\system32\xoabmtjb.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\fibrdgus.dll
C:\WINNT\system32\fibrdgus.dll Has been deleted!
Attempting to delete C:\WINNT\system32\iklnn.bak1
C:\WINNT\system32\iklnn.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\iklnn.bak2
C:\WINNT\system32\iklnn.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\iklnn.ini
C:\WINNT\system32\iklnn.ini Has been deleted!
Attempting to delete C:\WINNT\system32\nnlki.dll
C:\WINNT\system32\nnlki.dll Has been deleted!
Attempting to delete C:\WINNT\system32\qofjywev.ini
C:\WINNT\system32\qofjywev.ini Has been deleted!
Attempting to delete C:\WINNT\system32\sugdrbif.ini
C:\WINNT\system32\sugdrbif.ini Has been deleted!
Attempting to delete C:\WINNT\system32\vewyjfoq.dll
C:\WINNT\system32\vewyjfoq.dll Has been deleted!
Attempting to delete C:\WINNT\system32\xoabmtjb.dll
C:\WINNT\system32\xoabmtjb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 7:06:14 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\bbefe.ini
C:\WINNT\system32\efebb.dll
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\bbefe.ini
C:\WINNT\system32\bbefe.ini Has been deleted!
Attempting to delete C:\WINNT\system32\efebb.dll
C:\WINNT\system32\efebb.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINNT\system32\efebb.dll
C:\WINNT\system32\efebb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 7:32:08 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\vxwvw.ini
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\vxwvw.ini
C:\WINNT\system32\vxwvw.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 7:50:21 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 8:02:04 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\dgjlm.ini
C:\WINNT\system32\mljgd.dll
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\dgjlm.ini
C:\WINNT\system32\dgjlm.ini Has been deleted!
Attempting to delete C:\WINNT\system32\mljgd.dll
C:\WINNT\system32\mljgd.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINNT\system32\mljgd.dll
C:\WINNT\system32\mljgd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 8:17:52 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\wvwxv.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Sun Java not detected
Scan started at 8:31:46 PM 5/18/2007
Listing files found while scanning....
C:\WINNT\system32\wvwxv.dll
5. here is the new hjk log
Logfile of HijackThis v1.99.1
Scan saved at 8:45:32 PM, on 5/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjkthis\stick56.exe.exe
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B1CD727-3D75-458C-8767-F2E2D1A4BF49} - C:\WINNT\system32\nnlki.dll (file missing)
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\qomjihi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINNT\system32\mtgwfdfo.dll
O2 - BHO: (no name) - {7C95BF6C-5E33-419B-BA80-B7E7D816C34E} - C:\WINNT\system32\efebb.dll (file missing)
O2 - BHO: (no name) - {AF4FEBBB-FD93-4980-AAE1-E04AA5C5521A} - C:\WINNT\system32\jkkkj.dll (file missing)
O2 - BHO: (no name) - {B55A0288-57BE-4B5C-B5C6-97E59F28ACFf} - C:\WINNT\system32\ojswxjud.dll
O2 - BHO: (no name) - {CC6F9AAD-1CBF-4C1C-B316-B6B101E7DDCB} - C:\WINNT\system32\mljgd.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [A00F6CBCE.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6CBCE.exe
O4 - HKCU\..\Run: [A00F6D058.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D058.exe
O4 - HKCU\..\Run: [A00F6D062.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6D062.exe
O4 - HKCU\..\Run: [A00F6DD36.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6DD36.exe
O4 - HKCU\..\Run: [A00F7D558.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F7D558.exe
O4 - HKCU\..\Run: [A00F812EA.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F812EA.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178936218907
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.sparkpea.net/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DFD98C-1D4B-4372-A353-364F589D1CF8}: NameServer = 209.225.8.42,209.225.8.43
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
O20 - Winlogon Notify: urqrqnl - urqrqnl.dll (file missing)
O20 - Winlogon Notify: wvwxv - C:\WINNT\system32\wvwxv.dll (file missing)
O20 - Winlogon Notify: __c007F4F8 - C:\WINNT\system32\__c007F4F8.dat (file missing)
O20 - Winlogon Notify: __c008143D - C:\WINNT\system32\__c008143D.dat (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
Thank you all for your help it is MUCH appreciated
pskelley
2007-05-19, 11:58
Sorry:sad: but you left a Vundo line in the log, here it is:
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\qomjihi.dll
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
You need to watch the HJT log, the 020 lines are your clues, in the last HJT log you posted. There are five lines and all but one has had the file deleted (we can remove those with HJT whenever we wish) but the line with the file I posted above is still active and still vundo.
1) Since you could not remove that file yesterday, it should have been uploaded according to the Vundo instructions:
If there is a file VundoFix doesn't find we need it submitted. Please submit the files to upload malware http://www.uploadmalware.com
Had you done that Atribune would have added it to the fix so it would remove it when you run it now. If you did not do that, try Vundofix a few times and watch to see if it finds and deletes that file, IF it does not, upload it this time! The instructions are simple.
2) If Vundofix does not remove that file (or any others it locates, the junk does morph) then follow these directions carefully.
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\qomjihi.dll
C:\WINDOWS\system32\ihijmoq.*
* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Let me know how this goes.
On a second note, we still have this junk in the log:
O4 - HKCU\..\Run: [A00F6CBCE.exe] C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6CBCE.exe
Sorry if I am repeating myself, but unless you know what this is, it has to go. Use search companion:
Make sure all files and folders are enabled or search companion may not find the files either.
Start > Search > All Files and Foilder > In the Searcg box type or copy and paste the file: _A00F6CBCE.exe
Exactly as it appears and SAearch. Do not be impatient, it may tak a while. There are other files:
_A00F6D058.exe
_A00F6D062.exe
_A00F6DD36.exe
_A00F7D558.exe
_A00F812EA.exe
Once you find out where one is the others will be there. I can't say what these are, they may even be good which is why I gave you scanners to check them. I can say they are in a TEMP folder so they can be deleted and I can say if they are bad, your computer will not be clean until you locate and delete them.
Thanks
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.