View Full Version : Smitfraud on Windows XP
I am also having problems with Smitfraud. I can't seem to get rid of Smitfraud-c., Smitfraud-c.Toolbar888, nd Smitfraud-c.CoreService. I have read the "things to do before you post" thread, and I have followed all of the steps. I have Spybot, Ad-Aware, AVG, and McAfee installed on my computer. I did both the eTrust and TrendMicro online antivirus scans. The eTrust scan did not find anyhing. The TrendMicro scan found several things, which were cleaned and not found again on a second scan. I couldn't find a create/save log option so I can't say what those things were. I've also tried SmitFraud Fix and Rogue Remover to no avail. My Highjack this log is below. Thanks in advance for your help!
Logfile of HijackThis v1.99.1
Scan saved at 5:15:42 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\WINDOWS\system32\advlopqa.exe
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\sdmvproc.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\xmlccvtm.exe
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKLM\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKLM\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\vtqvmqqi.dll",realset
O4 - HKLM\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [askdmme] xmlccvtm.exe
O4 - HKCU\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKCU\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKCU\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.lsac.org
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178645289375
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
Angelfire777
2007-05-12, 00:33
Hi, welcome to Safer Networking forums!
You have a swarm of random malware in your machine...
It is possible that some of the entries are hiding from us, so please rename HijackThis.exe to something like angelfire777.exe
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
Thanks for the quick response! I'm sorry I didn't respond sooner. Here are the contents of vundofix text file.
VundoFix V6.3.21
Checking Java version...
Sun Java not detected
Scan started at 12:23:32 PM 5/13/2007
Listing files found while scanning....
C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\lxoakllv.dll
C:\WINDOWS\system32\pmkhg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhg.dll Has been deleted!
Performing Repairs to the registry.
Done!
Here are the contents of the HiJackThis log file.
Logfile of HijackThis v1.99.1
Scan saved at 12:47:17 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\xmlccvtm.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\WINDOWS\system32\advlopqa.exe
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\sdmvproc.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\dlmmsers.exe
C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\777fireangel.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {1D93A945-34F0-3455-F641-1CE33796FAE9} - C:\WINDOWS\system32\rztkrczd.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {729A0D42-ED6E-4E96-D9A2-286285450485} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O2 - BHO: (no name) - {C941AE49-334C-4DF9-B9DC-74263F84FE91} - C:\WINDOWS\system32\wspwrlcf.dll (file missing)
O2 - BHO: (no name) - {D60F19DC-EEFE-41A5-92E8-A0E292EF70CC} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\qeqepurr.dll
O2 - BHO: 0 - {EB0E8266-5FCA-4918-61B0-33DD6619B7CF} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKLM\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKLM\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\vtqvmqqi.dll",realset
O4 - HKLM\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKLM\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - HKCU\..\Run: [askdmme] xmlccvtm.exe
O4 - HKCU\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKCU\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKCU\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.lsac.org
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178645289375
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkijgg - jkkijgg.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
And the HiJackThis Uninstall Manager list:
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
AOL Uninstaller (Choose which Products to Remove)
AVG Anti-Spyware 7.5
BellSouth FastAccess DSL Help Center
BellSouth Parental Controls
BellSouth Toolbar 1.0
CA Pest Patrol Realtime Protection
CCleaner (remove only)
Conexant HSF V92 56K Data Fax PCI Modem
Dell ResourceCD
DellConnect
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Extreme Graphics Driver Software
ItsDeductible Express
Learn2 Player (Uninstall Only)
Lexmark X6100 Series
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB927978)
Professor Teaches Access 2002
QuickTime
Roxio EasyWrite Reader
Safety and Security Center Uninstaller
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Spybot - Search & Destroy 1.4
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
TurboTax Premier 2004
TurboTax Premier 2005
TurboTax Premier Investments 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Viewpoint Media Player
Watchtower Library 2004 - English Edition
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 2002
WordPerfect Office 2002
I really appreciate your help! Thanks!
Angelfire777
2007-05-14, 13:34
Hi,
Thanks for the quick response! I'm sorry I didn't respond sooner. Here are the contents of vundofix text file.
That's fine.
Let's run this first..
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Hi Angelfire! Here are the contents of the SDFix Report.
SDFix: Version 1.84
Run by Owner - Mon 05/14/2007 - 9:04:12.60
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
core
ImagePath:
system32\drivers\core.sys
core - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\-13267~1 - Deleted
C:\WINDOWS\wpcjmd.log - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1136310461\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1136310461\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1136326898\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1136326898\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Disabled:QuickTime Player"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\atlxpzqv.exe"="C:\\WINDOWS\\system32\\atlxpzqv.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\sysldsla.exe"="C:\\WINDOWS\\system32\\sysldsla.exe:*:Enabled:Server"
"C:\\WINDOWS\\TEMP\\win74.tmp.exe"="C:\\WINDOWS\\TEMP\\win74.tmp.exe:*:Enabled:win74.tmp"
"C:\\WINDOWS\\TEMP\\win14D.tmp.exe"="C:\\WINDOWS\\TEMP\\win14D.tmp.exe:*:Enabled:win14D.tmp"
"C:\\WINDOWS\\TEMP\\win65.tmp.exe"="C:\\WINDOWS\\TEMP\\win65.tmp.exe:*:Enabled:win65.tmp"
"C:\\WINDOWS\\system32\\capsjhec.exe"="C:\\WINDOWS\\system32\\capsjhec.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\advlopqa.exe"="C:\\WINDOWS\\system32\\advlopqa.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\convpsiv.exe"="C:\\WINDOWS\\system32\\convpsiv.exe:*:Enabled:Server"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\system32\\clifodvo.exe"="C:\\WINDOWS\\system32\\clifodvo.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\advlqhjp.exe"="C:\\WINDOWS\\system32\\advlqhjp.exe:*:Enabled:Server"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\umcmtwap.exe"="C:\\WINDOWS\\system32\\umcmtwap.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\libpaqzi.exe"="C:\\WINDOWS\\system32\\libpaqzi.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\capvwuem.exe"="C:\\WINDOWS\\system32\\capvwuem.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\conjvree.exe"="C:\\WINDOWS\\system32\\conjvree.exe:*:Enabled:Server"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\atlxpzqv.exe"="C:\\WINDOWS\\system32\\atlxpzqv.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\sysldsla.exe"="C:\\WINDOWS\\system32\\sysldsla.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\capsjhec.exe"="C:\\WINDOWS\\system32\\capsjhec.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\advlopqa.exe"="C:\\WINDOWS\\system32\\advlopqa.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\convpsiv.exe"="C:\\WINDOWS\\system32\\convpsiv.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\clifodvo.exe"="C:\\WINDOWS\\system32\\clifodvo.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\advlqhjp.exe"="C:\\WINDOWS\\system32\\advlqhjp.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\umcmtwap.exe"="C:\\WINDOWS\\system32\\umcmtwap.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\libpaqzi.exe"="C:\\WINDOWS\\system32\\libpaqzi.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\capvwuem.exe"="C:\\WINDOWS\\system32\\capvwuem.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\conjvree.exe"="C:\\WINDOWS\\system32\\conjvree.exe:*:Enabled:Server"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\advlopqa.exe
C:\WINDOWS\system32\capsjhec.exe
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\dlmmsers.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\system32\sdmvproc.exe
C:\WINDOWS\system32\sysldsla.exe
C:\WINDOWS\system32\xmlccvtm.exe
Finished
And here is a new HiJackThis log file.
Logfile of HijackThis v1.99.1
Scan saved at 9:21:33 AM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\xmlccvtm.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\WINDOWS\system32\advlopqa.exe
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\sdmvproc.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\dlmmsers.exe
C:\HijackThis\777fireangel.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {1D93A945-34F0-3455-F641-1CE33796FAE9} - C:\WINDOWS\system32\rztkrczd.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {729A0D42-ED6E-4E96-D9A2-286285450485} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O2 - BHO: (no name) - {C941AE49-334C-4DF9-B9DC-74263F84FE91} - C:\WINDOWS\system32\wspwrlcf.dll (file missing)
O2 - BHO: (no name) - {D60F19DC-EEFE-41A5-92E8-A0E292EF70CC} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\qeqepurr.dll
O2 - BHO: 0 - {EB0E8266-5FCA-4918-61B0-33DD6619B7CF} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKLM\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKLM\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKLM\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKLM\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - HKCU\..\Run: [askdmme] xmlccvtm.exe
O4 - HKCU\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKCU\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKCU\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.lsac.org
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178645289375
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkijgg - jkkijgg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
Thanks!
Angelfire777
2007-05-16, 12:44
Hi,
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
___________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {1D93A945-34F0-3455-F641-1CE33796FAE9} - C:\WINDOWS\system32\rztkrczd.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: 0 - {729A0D42-ED6E-4E96-D9A2-286285450485} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O2 - BHO: (no name) - {C941AE49-334C-4DF9-B9DC-74263F84FE91} - C:\WINDOWS\system32\wspwrlcf.dll (file missing)
O2 - BHO: (no name) - {D60F19DC-EEFE-41A5-92E8-A0E292EF70CC} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\qeqepurr.dll
O2 - BHO: 0 - {EB0E8266-5FCA-4918-61B0-33DD6619B7CF} - C:\Program Files\Digital Line Detect\lavuj.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKLM\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKLM\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKLM\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKLM\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKLM\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKLM\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - HKCU\..\Run: [askdmme] xmlccvtm.exe
O4 - HKCU\..\Run: [lmsser] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKCU\..\Run: [sdmcde] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKCU\..\Run: [windsllm] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [vmsslodd] C:\WINDOWS\system32\advlopqa.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Did you add the following lines to your trusted zone? If not, please fix them.
O15 - Trusted Zone: *.lsac.org
O15 - Trusted Zone: http://*.turbotax.com
O20 - Winlogon Notify: jkkijgg - jkkijgg.dll (file missing)
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these files:
C:\WINDOWS\system32\qeqepurr.dll
C:\WINDOWS\system32\xmlccvtm.exe
C:\WINDOWS\system32\advlopqa.exe
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\sdmvproc.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\dlmmsers.exe
C:\WINDOWS\system32\convpsiv.exe
C:\WINDOWS\system32\winsys32.dll
C:\WINDOWS\system32\capsjhec.exe
C:\WINDOWS\system32\sysldsla.exe
delete the following folder:
C:\PROGRAm files\Ofb11
Empty your recycle bin.
____________________
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\atlxpzqv.exe"=-
"C:\\WINDOWS\\system32\\sysldsla.exe"=-
"C:\\WINDOWS\\TEMP\\win74.tmp.exe"=-
"C:\\WINDOWS\\TEMP\\win14D.tmp.exe"=-
"C:\\WINDOWS\\TEMP\\win65.tmp.exe"=-
"C:\\WINDOWS\\system32\\capsjhec.exe"=-
"C:\\WINDOWS\\system32\\advlopqa.exe"=-
"C:\\WINDOWS\\system32\\convpsiv.exe"=-
"C:\\WINDOWS\\system32\\clifodvo.exe"=-
"C:\\WINDOWS\\system32\\advlqhjp.exe"=-
"C:\\WINDOWS\\system32\\umcmtwap.exe"=-
"C:\\WINDOWS\\system32\\libpaqzi.exe"=-
"C:\\WINDOWS\\system32\\capvwuem.exe"=-
"C:\\WINDOWS\\system32\\conjvree.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\atlxpzqv.exe"=-
"C:\\WINDOWS\\system32\\sysldsla.exe"=-
"C:\\WINDOWS\\system32\\capsjhec.exe"=-
"C:\\WINDOWS\\system32\\advlopqa.exe"=-
"C:\\WINDOWS\\system32\\convpsiv.exe"=-
"C:\\WINDOWS\\system32\\clifodvo.exe"=-
"C:\\WINDOWS\\system32\\advlqhjp.exe"=-
"C:\\WINDOWS\\system32\\umcmtwap.exe"=-
"C:\\WINDOWS\\system32\\libpaqzi.exe"=-
"C:\\WINDOWS\\system32\\capvwuem.exe"=-
"C:\\WINDOWS\\system32\\conjvree.exe"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad. Make sure that all windows are closed.
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
____________________
*
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
On your next reply, please include a fresh HijackThis log, AVG Antispyware log, kaspersky scan log and a description on how is your machine running.
Hello Angelfire777,
I followed your instructions, but I ran into a few problems. I reinstalled AVG, but doing so ended the trial period. So I don't have access to the Resident Shield and I cannot turn on automatic updates. Since you wanted me to disable them anyway, I went ahead and proceeded following the instructions. I don't know if my not being able to use the shield will present a problem, but I figured I'd let you know just in case.
When fixing items in HijackThis, some items were no longer present. They are listed below in bold.
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKLM\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
O4 - HKLM\..\Run: [askdmme] xmlccvtm.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\convpsiv.exe
However, the items listed below in bold were present.
O4 - HKLM\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
Also, when deleting files using Windows Explorer in safe mode, the following items were not found.
C:\WINDOWS\system32\xmlccvtm.exe
C:\WINDOWS\system32\convpsiv.exe
C:\WINDOWS\system32\sysldsla.exe
And this item could not be deleted because it was still in use.
C:\WINDOWS\system32\winsys32.dll
I was able to follow all other instructions without any problems. I have noticed some improvement with my computer. I have not received any WinAntivirusPro2007, campus dirt, smart search, etc. pop-ups as of yet. Also, the lights on my dsl modem are not blinking as much as they were before, although they are still blinking when I am not connected to the internet. So there has definitely been some improvement, but I still think there may be some remaining items that we missed.
Here is a fresh HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 2:23:59 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\WINDOWS\system32\winbvuiy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\AOL\1168615367\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1168615367\ee\aolsoftware.exe
c:\program files\common files\aol\1168615367\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1168615367\ee\anotify.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis\777fireangel.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKCU\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.lsac.org
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178645289375
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1168615367\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
Here is the AVG Antispyware log.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:04:01 PM 5/16/2007
+ Scan result:
C:\WINDOWS\efwfergvfsdgjh.exe -> Proxy.Slaper.p : Cleaned with backup (quarantined).
C:\WINDOWS\gregrehgtrh.exe -> Proxy.Slaper.u : Cleaned with backup (quarantined).
::Report end
And here is the Kaspersky scan log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 16, 2007 2:21:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/05/2007
Kaspersky Anti-Virus database records: 321691
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 55008
Number of viruses found: 5
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:33:08
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\BFTS\BFTSDatabase.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\LiveUpdate\2007-05-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.CARTER\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.CARTER\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.CARTER\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\History\History.IE5\MSHist012007051620070517\index.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.CARTER\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner.CARTER\ntuser.dat.LOG Object is locked skipped
C:\HijackThis\backups\backup-20070516-084306-981.dll Infected: Trojan.Win32.BHO.o skipped
C:\Program Files\CA\PPRT\logs\2007-05-16.csv Object is locked skipped
C:\VundoFix Backups\pmkhg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\enjdahyv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\vtqvmqqi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winsys32.dll Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I appreciate all of your help thus far!
Angelfire777
2007-05-17, 14:46
Hi,
I followed your instructions, but I ran into a few problems. I reinstalled AVG, but doing so ended the trial period. So I don't have access to the Resident Shield and I cannot turn on automatic updates. Since you wanted me to disable them anyway, I went ahead and proceeded following the instructions. I don't know if my not being able to use the shield will present a problem, but I figured I'd let you know just in case.
That's ok, you did alright..
I was able to follow all other instructions without any problems. I have noticed some improvement with my computer. I have not received any WinAntivirusPro2007, campus dirt, smart search, etc. pop-ups as of yet. Also, the lights on my dsl modem are not blinking as much as they were before, although they are still blinking when I am not connected to the internet. So there has definitely been some improvement, but I still think there may be some remaining items that we missed.
That's good news! Something regenerated some of the infection so we need to clean them again but they are less now..
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O4 - HKLM\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [crmssrlt] regrgzwo.exe
O4 - HKCU\..\Run: [wdmlpc] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [zwlibs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [ldvbs] C:\WINDOWS\system32\winbvuiy.exe
O4 - HKCU\..\Run: [ssmcopx] C:\WINDOWS\system32\winbvuiy.exe
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\winbvuiy.exe
C:\WINDOWS\system32\winsys32.dll
C:\WINDOWS\system32\regrgzwo.exe
C:\WINDOWS\system32\enjdahyv.dll
C:\WINDOWS\system32\vtqvmqqi.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Post back with a fresh HijackThis log and a description on how you machine is running.
For some reason, after I ran OTMoveIT and I restarted my computer, it kept rebooting before Windows had finished starting up. I just went ahead and reinstalled Windows. Thanks anyway. Everything was improving up until that point. I appreciate your assistance.
Angelfire777
2007-05-24, 11:36
Sorry for the late reply..I've been quite busy these days..Sorry that it'll have to end up like this..
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://www.321download.com/LastFreeware/page7.html#Kerio%20Personal%20Firewall)
Adaware
~You can download it from here (http://www.lavasoft.de)
~There is a tutorial on how to use Adaware properly here (http://forums.spywareinfo.com/index.php?showtopic=11150)
Spybot Search and Destroy
~You can download it from here (http://security.kolla.de/index.php?lang=en&page=download) . Just choose a mirror and off you go.
~There is also a tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Pls. check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy Safe Surfing