PDA

View Full Version : please help with removal



ghosterman3
2007-10-14, 05:31
i have been trying all day to fix my computer, lnt it to someone who used ie instead of firefox now firefox doesnt work and its full of adware and spysweeper wont get rid of it, and i have tried using methods from other posts with no luck... please help here is my hjt log... if you need more info please let me know!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:18 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\myafgodk.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtun.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win8B.tmp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rjxkxofh.dll",sitypnow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5604 bytes

ghosterman3
2007-10-14, 05:39
oh and when i try to unrar SmitfraudFix.zip it sais winrar has encountered a problem just like firefox, and also spybot s&d wont install it just gives a loud "dong" noise...

pskelley
2007-10-19, 12:56
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

I apologize for the wait, seems you missed the link above. If you have not resolved your problems, place System Configuration Utility (MSConfig) in normal mode so I can see everything and post a new HJT log.
You may wait on the Kaspersky scan until I see if we need it.

If you have resolved your issues, I would appreciate a post letting me know so I can close your topic.

Thanks

ghosterman3
2007-10-20, 06:36
well i fixed firefox, BUT.. nothing else is fixed.. i never really use normal mode cuz of alot of stuff being on there for some reason.. anyways i did it and here is the log!! thanks! also it seams some extra stuff is on my computer from my friend and when i try to delete it from add/remove it just did nothing....




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:49 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\nero\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\efxljcpm.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\TEMP\win8B.tmp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\PeerGuardian2\pg2.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] "D:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ioloDelayModule] "C:\Program Files\iolo\System Mechanic Professional 6\delay.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtun.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win8B.tmp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vebfhqvy.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "d:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [PeerGuardian] D:\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - HKCU\..\Run: [Aowl] "C:\WINDOWS\RACLE~1\rundll.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\efxljcpm.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\nero\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10935 bytes
:cool:

pskelley
2007-10-20, 15:24
Thanks for returning your information and the feedback, I turn off all programs in MSConfig I only use once in a while myself, but if you had malware turned off, I would not know it is there. You may return to Selective Start to save resource now if you wish but you have worse problems!
http://netsquirrel.com/msconfig/msconfig_xp.html

You are badly infected, I see just about one of everything. This is going to take a while and you need to keep this computer offline except when troubleshooting until I tell you it is clean. If you can work with that, then start like this.

1) C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe <<< return here and rename HijackThis.exe, call it ghosterman3.exe or whatever. The next HJT log will show the Vundo infect I believe.

2) I see evidence of Smitfraud, this proceedure will tell us if it is present:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

3) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log, include the C:\rapport.txt from Smitfraudfix with those.

This is a start

Thanks

ghosterman3
2007-10-20, 22:22
ok i did everything! here is the notes! thanks!

should i do a normal start again for the hjt??




hjt.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:22 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Desktop\hijackthis\ghosterman3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66D07D37-E684-C173-F13C-EC2B5D9FDEB9} - C:\WINDOWS\system32\qsmlmj.dll
O2 - BHO: (no name) - {6AC1622E-2061-4910-87AA-92591C3B2E35} - (no file)
O2 - BHO: (no name) - {71DCBC2F-45EB-A238-60D0-05366A24032B} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\xvpwodcs.dll
O2 - BHO: (no name) - {8ADA557C-630E-4EC8-9475-5BE16866FEC6} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - (no file)
O2 - BHO: (no name) - {C91D0A87-3744-445B-8A0E-29942831DC9C} - C:\WINDOWS\system32\ljjjghi.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\essnlwui.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtrrsq - awtrrsq.dll (file missing)
O20 - Winlogon Notify: ljjjghi - C:\WINDOWS\SYSTEM32\ljjjghi.dll
O20 - Winlogon Notify: nnnllij - nnnllij.dll (file missing)
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7155 bytes



rapport.txt


SmitFraudFix v2.240

Scan done at 11:41:29.96, Sat 10/20/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\mgrs.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1

C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.69.146
DNS Server Search Order: 68.87.85.98

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




]report.txt



SDFix: Version 1.110

Run by user on Sat 10/20/2007 at 11:53 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\336019~1 - Deleted
C:\Documents and Settings\user\Local Settings\Temp\winCE6.tmp.exe - Deleted
C:\WINDOWS\Temp\win1A.tmp.exe - Deleted
C:\WINDOWS\Temp\win4B.tmp.exe - Deleted
C:\WINDOWS\Temp\win50.tmp.exe - Deleted
C:\WINDOWS\Temp\win88.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B.tmp.exe - Deleted
C:\WINDOWS\Temp\win8D.tmp.exe - Deleted
C:\WINDOWS\Temp\win1A.tmp.exe - Deleted
C:\WINDOWS\Temp\win4B.tmp.exe - Deleted
C:\WINDOWS\Temp\win50.tmp.exe - Deleted
C:\WINDOWS\Temp\win88.tmp.exe - Deleted
C:\WINDOWS\Temp\win8B.tmp.exe - Deleted
C:\WINDOWS\Temp\win8D.tmp.exe - Deleted
C:\t.rar - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\wr.txt - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os114.tmp\\ossproxy.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os114.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe:*:Enabled:iolo Firewallr"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe:*:Enabled:iolo AntiVirusr"
"C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe:*:Enabled:iolo AntiVirusr Email Protection"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os5E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os5E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os13C.tmp\\ossproxy.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os13C.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\\Program Files\\Microsoft Office\\Office12\\groove.exe"="D:\\Program Files\\Microsoft Office\\Office12\\groove.exe:*:Enabled:Microsoft Office Groove"
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os118.tmp\\ossproxy.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\~os118.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"D:\\battlefield2\\BF2.exe"="D:\\battlefield2\\BF2.exe:*:Disabled:Battlefield 2"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"C:\\Documents and Settings\\user\\Desktop\\JEOPARDY!\\JEOPARDY!.exe"="C:\\Documents and Settings\\user\\Desktop\\JEOPARDY!\\JEOPARDY!.exe:*:Disabled:JEOPARDY!"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Disabled:SmartFTP Client 2.0"
"C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"="C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe:*:Disabled:Super TextTwist"
"C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune"
"C:\\Program Files\\Zone.com Deluxe Games\\Wheel of Fortune Deluxe\\Wheel of Fortune Deluxe.exe"="C:\\Program Files\\Zone.com Deluxe Games\\Wheel of Fortune Deluxe\\Wheel of Fortune Deluxe.exe:*:Disabled:Wheel of Fortune Deluxe"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\LimeWire\\LimeWire.exe"="D:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"D:\\Program Files\\Lineage II\\system\\gameguard.des"="D:\\Program Files\\Lineage II\\system\\gameguard.des:*:Disabled:gameguard.des"
"D:\\Program Files\\Lineage II\\system\\GameGuard\\GameMon.des"="D:\\Program Files\\Lineage II\\system\\GameGuard\\GameMon.des:*:Disabled:GameMon.des"
"D:\\Program Files\\Lineage II\\system\\l2.exe"="D:\\Program Files\\Lineage II\\system\\l2.exe:*:Disabled:l2.exe"
"D:\\Program Files\\Lineage II\\LineageII.exe"="D:\\Program Files\\Lineage II\\LineageII.exe:*:Disabled:Play Lineage II"
"C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\winCDC.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\winCDC.tmp.exe:*:Enabled:winCDC.tmp"
"C:\\WINDOWS\\system32\\frhfpmqf.exe"="C:\\WINDOWS\\system32\\frh"
"C:\\WINDOWS\\TEMP\\win10.tmp.exe"="C:\\WINDOWS\\TEMP\\win10.tmp.exe:*:Enabled:win10.tmp"
"C:\\WINDOWS\\system32\\jllaposa.exe"="C:\\WINDOWS\\system32\\jll"
"C:\\WINDOWS\\TEMP\\win40.tmp.exe"="C:\\WINDOWS\\TEMP\\win40.tmp.exe:*:Enabled:win40.tmp"
"C:\\WINDOWS\\system32\\myafgodk.exe"="C:\\WINDOWS\\system32\\mya"
"C:\\WINDOWS\\TEMP\\win7D.tmp.exe"="C:\\WINDOWS\\TEMP\\win7D.tmp.exe:*:Enabled:win7D.tmp"
"C:\\WINDOWS\\system32\\efxljcpm.exe"="C:\\WINDOWS\\system32\\efx"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 6 Sep 2007 80 ..SHR --- "C:\WINDOWS\system32\2B3B8C8FD8.dll"
Sun 7 Oct 2007 1,514,251 ..SH. --- "C:\WINDOWS\system32\jmllm.tmp"
Wed 17 Oct 2007 652,903 ..SH. --- "C:\WINDOWS\system32\jmllm.bak1"
Sat 20 Oct 2007 639,683 ..SH. --- "C:\WINDOWS\system32\jmllm.bak2"
Thu 9 Nov 2006 696,990 ..SH. --- "C:\WINDOWS\system32\rrutv.bak1"
Wed 13 Jun 2007 1,836,079 ..SH. --- "C:\WINDOWS\system32\sttss.bak1"
Thu 14 Jun 2007 1,836,881 ..SH. --- "C:\WINDOWS\system32\sttss.bak2"
Fri 19 Oct 2007 294 ..SH. --- "C:\WINDOWS\system32\yvqhfbev.tmp"

Finished!

pskelley
2007-10-20, 22:42
Please look at the top of Notepad, under Format and uncheck "Word Wrap". Please leave it unchecked until we are finished.

For your information, always restart the computer when you run a tool so the changes can go into effect before making and posting a HJT log. So you know, SDfix did a good job and removed a lot of junk. Smitfraudfix found bad stuff, so now we will have it remove what it found. I can now see the Vundo infection and we will start removing it. You were very infected, be patient, follow the instructions and we will get this done with time.

http://siri.geekstogo.com/SmitfraudFix.php <<< Tutorial if needed

1) Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Post the C:\rapport.txt from Smitfraudfix, the C:\vundofix.txt and a new HiJackThislog

Thanks

ghosterman3
2007-10-21, 00:02
ok, here are my logs for you, thanks.


hjt.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:53 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\hijackthis\ghosterman3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66D07D37-E684-C173-F13C-EC2B5D9FDEB9} - C:\WINDOWS\system32\qsmlmj.dll
O2 - BHO: (no name) - {6AC1622E-2061-4910-87AA-92591C3B2E35} - (no file)
O2 - BHO: (no name) - {71DCBC2F-45EB-A238-60D0-05366A24032B} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\dithmkad.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - (no file)
O2 - BHO: (no name) - {C91D0A87-3744-445B-8A0E-29942831DC9C} - C:\WINDOWS\system32\ljjjghi.dll
O2 - BHO: (no name) - {FACEC681-D0B4-429D-816C-D0FC19FA6A37} - C:\WINDOWS\system32\mllmj.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtrrsq - awtrrsq.dll (file missing)
O20 - Winlogon Notify: ljjjghi - C:\WINDOWS\SYSTEM32\ljjjghi.dll
O20 - Winlogon Notify: nnnllij - nnnllij.dll (file missing)
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6386 bytes


rapport.txt



SmitFraudFix v2.240

Scan done at 13:37:11.90, Sat 10/20/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FA987430-88F7-4C87-A3AF-3C79AEC768B0}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



vundofix.txt


VundoFix V6.5.10

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:41:44 PM 10/20/2007

Listing files found while scanning....

C:\WINDOWS\system32\goxfudgt.dll
C:\windows\system32\oxcbhrhs.dll
C:\windows\system32\phefbtes.dll
C:\windows\system32\setbfehp.ini
C:\windows\system32\shrhbcxo.ini
C:\WINDOWS\system32\tgdufxog.ini
C:\WINDOWS\system32\xvpwodcs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\goxfudgt.dll
C:\WINDOWS\system32\goxfudgt.dll Has been deleted!

Attempting to delete C:\windows\system32\oxcbhrhs.dll
C:\windows\system32\oxcbhrhs.dll Has been deleted!

Attempting to delete C:\windows\system32\phefbtes.dll
C:\windows\system32\phefbtes.dll Has been deleted!

Attempting to delete C:\windows\system32\setbfehp.ini
C:\windows\system32\setbfehp.ini Has been deleted!

Attempting to delete C:\windows\system32\shrhbcxo.ini
C:\windows\system32\shrhbcxo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tgdufxog.ini
C:\WINDOWS\system32\tgdufxog.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvpwodcs.dll
C:\WINDOWS\system32\xvpwodcs.dll Has been deleted!

Performing Repairs to the registry.
Done!

pskelley
2007-10-21, 00:19
I am sorry but you have not killed all of the vundo files. Here are the ones I still see:

C:\WINDOWS\system32\qsmlmj.dll
C:\WINDOWS\system32\dithmkad.dll
C:\WINDOWS\system32\ljjjghi.dll
C:\WINDOWS\system32\mllmj.dll

Sometime you have to run Vundofix several times before it identifies and deletes all of the infected files. I posted them so you can see them in the log. If you run it a couple of times and it does not delete those files, then do this.

Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

You may have to do it twice since you will only have three boxes you can add at a time. When you are successful, all vundo files will appear like this:

Example only:
C:\WINDOWS\system32\mllmj.dll(file missing)

Once this is achieved, post a HJT log and tell me how the computer is performing now.

Thanks

ghosterman3
2007-10-21, 01:51
C:\WINDOWS\system32\ljjjghi.dll showed up twice, after that it said no infections were found, but the log doesnt show "file missing".. did i do something wrong?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:14 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\user\Desktop\hijackthis\ghosterman3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {523B9F5A-E2C6-4A16-A837-83293DC0A903} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66D07D37-E684-C173-F13C-EC2B5D9FDEB9} - C:\WINDOWS\system32\qsmlmj.dll (file missing)
O2 - BHO: (no name) - {6AC1622E-2061-4910-87AA-92591C3B2E35} - (no file)
O2 - BHO: (no name) - {71DCBC2F-45EB-A238-60D0-05366A24032B} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {947A7EDF-7F24-4BC6-AC85-4C82C7725A25} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - (no file)
O2 - BHO: (no name) - {C91D0A87-3744-445B-8A0E-29942831DC9C} - C:\WINDOWS\system32\ljjjghi.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtrrsq - awtrrsq.dll (file missing)
O20 - Winlogon Notify: nnnllij - nnnllij.dll (file missing)
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6348 bytes

pskelley
2007-10-21, 02:28
I am sorry this is so tough, Vundo can be a real problem to remove because the junk morphs as you can see. If it was the same each time we would have no problems but the hackers keep changing how it infects you. I'll be the first to admit I am not sure what will work. Let's use HJT once to see what is left at that point.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {523B9F5A-E2C6-4A16-A837-83293DC0A903} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {66D07D37-E684-C173-F13C-EC2B5D9FDEB9} - C:\WINDOWS\system32\qsmlmj.dll (file missing)
O2 - BHO: (no name) - {6AC1622E-2061-4910-87AA-92591C3B2E35} - (no file)
O2 - BHO: (no name) - {71DCBC2F-45EB-A238-60D0-05366A24032B} - (no file)
O2 - BHO: (no name) - {947A7EDF-7F24-4BC6-AC85-4C82C7725A25} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - (no file)
O2 - BHO: (no name) - {C91D0A87-3744-445B-8A0E-29942831DC9C} - C:\WINDOWS\system32\ljjjghi.dll
O20 - Winlogon Notify: awtrrsq - awtrrsq.dll (file missing)
O20 - Winlogon Notify: nnnllij - nnnllij.dll (file missing)
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

You should recognize these Vundo files by now. Just as soon as you make a new HJT log, look to see if any of those are there and use this method right away:

Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

Thanks

ghosterman3
2007-10-21, 02:53
i found only one! and i ran it in the vundofix, but now the hjt log it shows (file missing)
is that good or bad?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:41 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Desktop\hijackthis\ghosterman3.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {523B9F5A-E2C6-4A16-A837-83293DC0A903} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\user\Desktop\bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163229568937
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5640 bytes

pskelley
2007-10-21, 03:01
That is very good, use HJT to remove this dead item:
O2 - BHO: (no name) - {523B9F5A-E2C6-4A16-A837-83293DC0A903} - C:\WINDOWS\system32\mllmm.dll (file missing)

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_09\ <<< update your Java and then uninstall any old Java programs in Add Remove programs.

Tell me how the computer is running. I think we should run one good scan to check for hidden junk, but want some feedback from you first.

Thanks

ghosterman3
2007-10-21, 03:13
:crowned:

Everything is running again! thank you so much!! no more "" has encountered a problem when i run .exe files!

:eek:

pskelley
2007-10-21, 03:18
Sounds good, let's run one good scan and then I'll post closing information. I will be down for the night, so I will not see this until tomorrow if you post it tonight.

First you need to remove Smitfraudfix, SDFix, and Vundofix (make sure to delete the Vundofix backups file) You can keep ATF-Cleaner if you wish, it is a nice small program. When all of the programs we used are removed, then do this.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

ghosterman3
2007-10-21, 06:04
1 of 2



dang... i thought i was good...




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 20, 2007 8:00:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/10/2007
Kaspersky Anti-Virus database records: 414737
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86077
Number of viruses found: 20
Number of infected objects: 110
Number of suspicious objects: 0
Duration of the scan process: 02:18:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/ctqbgngx.exe Infected: Trojan-Downloader.Win32.Agent.bud skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/wintuh32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vhbec6i.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007102020071021\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{098A58E8-8C18-44C8-B80F-4C0A94E371C5}\{E82C857C-732F-408B-97F4-6D9827BAAE44}.dll/{E82C857C-732F-408B-97F4-6D9827BAAE44}.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{098A58E8-8C18-44C8-B80F-4C0A94E371C5}\{E82C857C-732F-408B-97F4-6D9827BAAE44}.dll ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{647769ED-A106-442E-B738-0792A8004F32}\{60FEAE97-F5AC-4033-AF6A-9E131C1B48F2}/{60FEAE97-F5AC-4033-AF6A-9E131C1B48F2} Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{647769ED-A106-442E-B738-0792A8004F32}\{60FEAE97-F5AC-4033-AF6A-9E131C1B48F2} ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{14EFB82B-4047-4BA9-9F2B-A180391ED8BE}.exe/{14EFB82B-4047-4BA9-9F2B-A180391ED8BE}.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{14EFB82B-4047-4BA9-9F2B-A180391ED8BE}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{67A4E9E3-965E-4ACE-B80A-85F26F668F04}.exe/{67A4E9E3-965E-4ACE-B80A-85F26F668F04}.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{67A4E9E3-965E-4ACE-B80A-85F26F668F04}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{78CD87D9-2868-4E8A-BF9F-1AB92FE8793B}.tmp/{78CD87D9-2868-4E8A-BF9F-1AB92FE8793B}.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{78CD87D9-2868-4E8A-BF9F-1AB92FE8793B}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{961F023F-F9D1-48E7-A4A8-61B258BDF0B6}.exe/{961F023F-F9D1-48E7-A4A8-61B258BDF0B6}.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{961F023F-F9D1-48E7-A4A8-61B258BDF0B6}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{CEE7D694-6633-495F-A29E-EC8F55B71151}.exe/{CEE7D694-6633-495F-A29E-EC8F55B71151}.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{CEE7D694-6633-495F-A29E-EC8F55B71151}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{CFF27A7A-F978-438F-AD36-96A01C07793E}.exe/{CFF27A7A-F978-438F-AD36-96A01C07793E}.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{CFF27A7A-F978-438F-AD36-96A01C07793E}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{EC2FD06F-D16B-4C0A-B404-ABFC74CF10FC}.exe/{EC2FD06F-D16B-4C0A-B404-ABFC74CF10FC}.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{EC2FD06F-D16B-4C0A-B404-ABFC74CF10FC}.exe ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1069676-5C1C-492B-AFEE-F9842C9791DC}\{3C8376AD-88DA-4196-89C7-BA8BDE67EAB2}.exe/{3C8376AD-88DA-4196-89C7-BA8BDE67EAB2}.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1069676-5C1C-492B-AFEE-F9842C9791DC}\{3C8376AD-88DA-4196-89C7-BA8BDE67EAB2}.exe ZIP: infected - 1 skipped
C:\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/win1A.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\SDFix\backups\backups.zip/backups/win4B.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\SDFix\backups\backups.zip/backups/win50.tmp.exe Infected: Trojan-Downloader.Win32.VB.bng skipped
C:\SDFix\backups\backups.zip/backups/win88.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\SDFix\backups\backups.zip/backups/win8B.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/win8D.tmp.exe Infected: Trojan-Downloader.Win32.VB.bng skipped
C:\SDFix\backups\backups.zip/backups/winCE6.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 8 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP21\A0001905.dll Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP24\A0001967.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0001990.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002005.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002006.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002012.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002018.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002042.exe/{3C8376AD-88DA-4196-89C7-BA8BDE67EAB2}.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002042.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002064.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002091.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002092.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002175.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002194.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002195.exe Infected: Trojan-Downloader.Win32.Agent.ejh skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002196.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002201.exe Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002202.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002203.exe Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002204.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP25\A0002211.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002706.exe Infected: Trojan-Downloader.Win32.Alphabet.aa skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002776.exe Infected: Trojan-Downloader.Win32.Agent.bud skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002778.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002781.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003118.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003122.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003124.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003125.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003126.exe Infected: Trojan-Downloader.Win32.VB.bng skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003127.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003128.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003129.exe Infected: Trojan-Downloader.Win32.VB.bng skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003130.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.ejh skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.vj skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe/data.rar/install.exe Infected: Backdoor.Win32.IRCBot.ajo skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe/data.rar Infected: Backdoor.Win32.IRCBot.ajo skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003243.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003245.exe Infected: Backdoor.Win32.IRCBot.ajo skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.ejh skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.vj skipped

ghosterman3
2007-10-21, 06:05
2 of 2



C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe/data.rar/install.exe Infected: Backdoor.Win32.IRCBot.ajo skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe/data.rar Infected: Backdoor.Win32.IRCBot.ajo skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP35\A0003246.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP38\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bfwoyglr.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cescduvu.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\diguwscy.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\dlbpvicv.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drvcih.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\drvtun.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\drvxoj.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\efxljcpm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\enrncggx.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\fjgrsttd.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\frhfpmqf.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iiinvpxm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\jllaposa.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\jthpjkfm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\kiawdaux.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\loimnsqr.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\myafgodk.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\nigvxsne.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\nisgefdq.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\qmctpqlt.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\qphycysw.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\rojcwxco.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\sfhgbqrg.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\vwthegkp.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xqafcwqd.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\yrbxbpst.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002726.dll Infected: Trojan-PSW.Win32.LdPinch.bjx skipped
D:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP26\A0002729.dll Infected: Trojan-PSW.Win32.LdPinch.bjx skipped
D:\System Volume Information\_restore{5130E11D-1AB5-459C-AC4A-1D0A8F97BC15}\RP38\change.log Object is locked skipped

Scan process completed.

pskelley
2007-10-21, 15:23
Follow the instructions carefully:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that file in RED

C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{835D3B99-522B-4CC5-A7BB-F34EA936C231}\{EC2FD06F-D16B-4C0A-B404-ABFC74CF10FC}.exe/{EC2FD06F-D16B-4C0A-B404-ABFC74CF10FC}.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
You have infected files in System Mechanic, never seen this before? Can you uninstall the complete program? And install it clean?

C:\SDFix\backups\ <<< delete all SDFix, files and folders

Be careful when you do this, perhaps print them and cross them off when you delete them. Go into that C:\WINDOWS\system32\ and delete all of these files in red

C:\WINDOWS\system32\drvcih.dll
C:\WINDOWS\system32\drvtun.dll
C:\WINDOWS\system32\drvxoj.dll
C:\WINDOWS\system32\efxljcpm.exe
C:\WINDOWS\system32\enrncggx.exe
C:\WINDOWS\system32\fjgrsttd.exe
C:\WINDOWS\system32\frhfpmqf.exe
C:\WINDOWS\system32\iiinvpxm.exe
C:\WINDOWS\system32\jllaposa.exe
C:\WINDOWS\system32\jthpjkfm.exe
C:\WINDOWS\system32\kiawdaux.exe
C:\WINDOWS\system32\loimnsqr.exe
C:\WINDOWS\system32\myafgodk.exe
C:\WINDOWS\system32\nigvxsne.exe
C:\WINDOWS\system32\nisgefdq.exe
C:\WINDOWS\system32\qmctpqlt.exe
C:\WINDOWS\system32\qphycysw.exe
C:\WINDOWS\system32\rojcwxco.exe
C:\WINDOWS\system32\sfhgbqrg.exe
C:\WINDOWS\system32\vwthegkp.exe
C:\WINDOWS\system32\xqafcwqd.exe
C:\WINDOWS\system32\yrbxbpst.exe

When all of the above instructions have been followed, then clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky scan and post it.

Thanks

ghosterman3
2007-10-22, 08:46
ok i did spybot s&d, the sdfix, and all the system32 stuff, but when i tried to remove system mechanics it said unins000.bat does not exist and it wont remove.

pskelley
2007-10-22, 15:35
Did you purchase System Mechanic? I know nothing about the product other than Kaspersky is showing it is infected.
http://www.iolo.com/customercare/technicalsupport.aspx

Check with Technical Support, look on the box the product came in and you may find a toll free phone number. You may have to uninstall the product and resinstall it. Tech Support will have to tell you that.

This is what kaspersky says it is infected with: Trojan-Downloader.Win32.Alphabet.c
http://www.emsisoft.com/en/malware/?Trojan-Downloader.Win32.Alphabet.c

I am sorry this junk is harder to remove than it is to get on your computer.

Thanks

ghosterman3
2007-10-23, 04:40
yeah i have been looking for the box, but i also work 12 hour shifts and have a newborn son, so sometimes its hard to find a little free time.. sorry! i will post as soon as i find it and remove then i will finish and post everything!!

tashi
2007-11-06, 01:27
How is it going ghosterman3. :)

pskelley
2007-11-06, 15:29
This topic is closed due to lack of a response.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks