PDA

View Full Version : Virtumonde.generic is closing me down



harvey61
2007-11-19, 17:22
I´m having a whole heap of pop-ups appearing directing me to anti-virus sites. Reading through other posts here and after scanning with Spybot it has recognised virtumonde and others.
Anyone help in the removal of these REALLY annoying viruses?
I´ve had to restart in Safe Mode as I have no control on the Desktop.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:14:24, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Melanie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - D:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\ldzdcacs.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Host Process] D:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] D:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Insider] D:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Hcwm] "D:\WINDOWS\RACLE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Bic] D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
O4 - HKCU\..\Run: [WinTouch] D:\Documents and Settings\Melanie\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] D:\Documents and Settings\Melanie\Application Data\Microsoft\Windows\ckwif.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C40.dat
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - D:\WINDOWS\system32\fftktmk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 4808 bytes

random/random
2007-11-21, 00:30
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Please download show-vundo.vbs (http://linhadefensiva.uol.com.br/files/vbs/show-vundo.vbs) to your desktop
Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic, along with C:\vundofix.txt, the smitfraudfix log and a new HijackThis log

harvey61
2007-11-21, 12:51
Firstly, thanks for answering my post. The problem seems to be getting worse. I now have erratic control of any windows on the desktop. I can click on them once and they grey out preventing me from interacting. I have eventually managed to get all the info you require:


VundoFix V6.6.2

Checking Java version...

Scan started at 10:25:45 21/11/2007

Listing files found while scanning....

D:\windows\system32\__c00C40.dat
D:\WINDOWS\system32\ldzdcacs.dll
D:\windows\system32\ldzdcacs.dllbox

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Scan started at 10:44:37 21/11/2007

Listing files found while scanning....

D:\windows\system32\__c00C40.dat
D:\WINDOWS\system32\ldzdcacs.dll
D:\windows\system32\ldzdcacs.dllbox

Beginning removal...

Attempting to delete D:\windows\system32\__c00C40.dat
D:\windows\system32\__c00C40.dat Could not be deleted.

Attempting to delete D:\windows\system32\ldzdcacs.dllbox
D:\windows\system32\ldzdcacs.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 11:01:47 21/11/2007

Listing files found while scanning....

D:\windows\system32\__c00C40.dat

Beginning removal...

Attempting to delete D:\windows\system32\__c00C40.dat
D:\windows\system32\__c00C40.dat Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 11:12:43 21/11/2007

Listing files found while scanning....

D:\windows\system32\__c00C40.dat

Beginning removal...

Attempting to delete D:\windows\system32\__c00C40.dat
D:\windows\system32\__c00C40.dat Could not be deleted.

Performing Repairs to the registry.
Done!

=======================================

SmitFraudFix v2.253

Scan done at 10:21:06.87, 21/11/2007
Run from G:\Fix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\o2flash.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\sm56hlpr.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Insider\Insider.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Melanie


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Melanie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
D:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Melanie\FAVORI~1

D:\DOCUME~1\Melanie\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

D:\Program Files\Video Add-on\ FOUND !
D:\Program Files\VirusProtect 3.8\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"="doglike"

[HKEY_CLASSES_ROOT\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="D:\\WINDOWS\\system32\\__c00C40.dat"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

=========================================


=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

D:\WINDOWS\system32\__c00C40.dat


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] D:\WINDOWS\system32\gebya.dll


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
Adobe PDF Reader Link Helper | [Indefinido]
D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{23B760D6-C98B-450B-9B32-26C7775CDF83}\]
[Indefinido] | [Indefinido]
D:\Program Files\Video Add-on\isfmdl.dll


[HKLM\SOFTWARE\Classes\CLSID\{4B81F49F-DF9E-4A9F-829F-BD1F9F064F77}\]
[Indefinido] | [Indefinido]
D:\Program Files\MSN\hopeset4444.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
[Indefinido] | [Indefinido]
D:\PROGRA~1\SPYBOT~1\SDHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{727706B1-7EFF-4F5B-B512-42D4CAE8A6BB}\]
[Indefinido] | [Indefinido]
D:\WINDOWS\system32\gebya.dll


[HKLM\SOFTWARE\Classes\CLSID\{74fd23bb-2c30-41be-8160-cb6b435569f7}\]
[Indefinido] | {7f965534-b6bc-0618-eb14-03c2bb32df47}
D:\WINDOWS\system32\ikiandaq.dll


[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


[HKLM\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{BD2A5213-D149-4269-8F5B-5FA9C8ABF72E}\]
[Indefinido] | [Indefinido]
D:\Program Files\MSN\hopeset83122.dll


[HKLM\SOFTWARE\Classes\CLSID\{BDDF8867-4189-795B-8B2B-31E607800DC2}\]
[Indefinido] | [Indefinido]
D:\WINDOWS\system32\mxavivbb.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] igfxcui : igfxdev.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!

harvey61
2007-11-21, 12:55
And here is the latest HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:05, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\system32\o2flash.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\sm56hlpr.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Insider\Insider.exe
D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\bmctl.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Melanie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - D:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {4B81F49F-DF9E-4A9F-829F-BD1F9F064F77} - D:\Program Files\MSN\hopeset4444.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {727706B1-7EFF-4F5B-B512-42D4CAE8A6BB} - D:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: {7f965534-b6bc-0618-eb14-03c2bb32df47} - {74fd23bb-2c30-41be-8160-cb6b435569f7} - D:\WINDOWS\system32\ikiandaq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BD2A5213-D149-4269-8F5B-5FA9C8ABF72E} - D:\Program Files\MSN\hopeset83122.dll
O2 - BHO: (no name) - {BDDF8867-4189-795B-8B2B-31E607800DC2} - D:\WINDOWS\system32\mxavivbb.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - D:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Insider] D:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Bic] D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
O4 - HKCU\..\Run: [WinTouch] D:\Documents and Settings\Melanie\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] D:\Documents and Settings\Melanie\Application Data\Microsoft\Windows\ckwif.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C40.dat
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - D:\WINDOWS\system32\fftktmk.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6643 bytes

random/random
2007-11-21, 16:47
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

To assist diagnosis I would like a list of installed programs.

Open HijackThis and select Open the Misc Tools section
Click on the Open Uninstall Manager…
Select the Save List button
I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
Close HijackThis



Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic, along with the smitfraudfix log, the uninstall list and a new HijackThis log

harvey61
2007-11-21, 21:18
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

D:\WINDOWS\system32\__c00C40.dat


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] D:\WINDOWS\system32\gebya.dll


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
Adobe PDF Reader Link Helper | [Indefinido]
D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{23B760D6-C98B-450B-9B32-26C7775CDF83}\]
[Indefinido] | [Indefinido]
D:\Program Files\Video Add-on\isfmdl.dll


[HKLM\SOFTWARE\Classes\CLSID\{4B81F49F-DF9E-4A9F-829F-BD1F9F064F77}\]
[Indefinido] | [Indefinido]
D:\Program Files\MSN\hopeset4444.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
[Indefinido] | [Indefinido]
D:\PROGRA~1\SPYBOT~1\SDHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{727706B1-7EFF-4F5B-B512-42D4CAE8A6BB}\]
[Indefinido] | [Indefinido]
D:\WINDOWS\system32\gebya.dll


[HKLM\SOFTWARE\Classes\CLSID\{74fd23bb-2c30-41be-8160-cb6b435569f7}\]
[Indefinido] | {7f965534-b6bc-0618-eb14-03c2bb32df47}
D:\WINDOWS\system32\ikiandaq.dll


[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


[HKLM\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{BD2A5213-D149-4269-8F5B-5FA9C8ABF72E}\]
[Indefinido] | [Indefinido]
D:\Program Files\MSN\hopeset83122.dll


[HKLM\SOFTWARE\Classes\CLSID\{BDDF8867-4189-795B-8B2B-31E607800DC2}\]
[Indefinido] | [Indefinido]
D:\WINDOWS\system32\mxavivbb.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] igfxcui : igfxdev.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!


SmitFraudFix v2.253

Scan done at 19:34:54.37, 21/11/2007
Run from G:\Fix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"="doglike"

[HKEY_CLASSES_ROOT\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
D:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
D:\DOCUME~1\Melanie\FAVORI~1\Online Security Test.url Deleted
D:\Program Files\Video Add-on\ Deleted
D:\Program Files\VirusProtect 3.8\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}"="doglike"

[HKEY_CLASSES_ROOT\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}\InProcServer32]
@="D:\WINDOWS\system32\fftktmk.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

AC-3 ACM Decompressor
Adobe Flash Player ActiveX
Adobe Reader 8
Apple Software Update
Audio-Video Enhance
AVG 7.5
CCleaner (remove only)
DivX
Escritorio movistar
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2_12
Java(TM) 6 Update 3
Motorola SM56 Speakerphone Modem
Mozilla Firefox (2.0.0.3)
Nero 7 Premium
O2Micro Flash Memory Card Windows Driver V3.00
PowerDVD
QuickTime
Real Alternative 1.50
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XviD 1.1 final uninstall

===================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46:42, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\system32\o2flash.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\sm56hlpr.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Insider\Insider.exe
D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\bmctl.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Melanie\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - D:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {4B81F49F-DF9E-4A9F-829F-BD1F9F064F77} - D:\Program Files\MSN\hopeset4444.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {727706B1-7EFF-4F5B-B512-42D4CAE8A6BB} - D:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: {7f965534-b6bc-0618-eb14-03c2bb32df47} - {74fd23bb-2c30-41be-8160-cb6b435569f7} - D:\WINDOWS\system32\ikiandaq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BD2A5213-D149-4269-8F5B-5FA9C8ABF72E} - D:\Program Files\MSN\hopeset83122.dll
O2 - BHO: (no name) - {BDDF8867-4189-795B-8B2B-31E607800DC2} - D:\WINDOWS\system32\mxavivbb.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - D:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Insider] D:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Bic] D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
O4 - HKCU\..\Run: [WinTouch] D:\Documents and Settings\Melanie\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] D:\Documents and Settings\Melanie\Application Data\Microsoft\Windows\ckwif.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C40.dat
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - D:\WINDOWS\system32\fftktmk.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6565 bytes

random/random
2007-11-21, 22:26
Go to Start> Control Panel> Add or Remove Programs.

Remove the following program

Java 2 Runtime Environment, SE v1.4.2_12 << this is an outdated and vulnerable version of Java



Run HijackThis
Click on Open the Misc Tools section
Click Delete a file on reboot
Find and select this file:
D:\WINDOWS\SYSTEM32\__c00C40.dat
Click Open
You will be asked if you want to restart your computer, click Yes
Your computer will be restarted


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

harvey61
2007-11-22, 14:20
These little tweaks and deletions are certainly having the desired effect... just like a slow working medicine. I have no pop-ups, and have control back on my desktop. Thanks. One more pill?!

Please find below the details you requested:


SDFix: Version 1.115

Run by Melanie on 22/11/2007 at 13:03

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

D:\X.DAT - Deleted
D:\Z.DAT - Deleted
D:\DOCUME~1\MELANIE\APPLIC~1\MICROS~1\WINDOWS\CKWIF.EXE - Deleted
D:\Documents and Settings\Melanie\Application Data\WinTouch\wintouch.cfg - Deleted
D:\Documents and Settings\Melanie\Application Data\WinTouch\WinTouch.exe - Deleted
D:\Documents and Settings\Melanie\x.dat - Deleted
D:\Documents and Settings\Melanie\z.dat - Deleted
D:\Documents and Settings\Melanie\f.exe - Deleted
D:\Program Files\Insider\Insider.exe - Deleted
D:\Program Files\Insider\UnInstall.exe - Deleted
D:\n.bat - Deleted
D:\WINDOWS\b147.exe - Deleted
D:\WINDOWS\Fonts\Crack.exe - Deleted
D:\WINDOWS\system32\pac.txt - Deleted
D:\WINDOWS\TTC-4444.exe - Deleted
D:\WINDOWS\Fonts\*.zip - 1 File(s) 637,938 bytes - Deleted
D:\WINDOWS\Fonts\'\*.zip - 1451 File(s) 925,649,489 bytes - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder D:\Documents and Settings\Melanie\Application Data\WinTouch - Removed
Folder D:\Program Files\Insider - Removed
Folder D:\Program Files\Temporary - Removed
Folder D:\WINDOWS\Fonts\' - Removed
Folder D:\WINDOWS\system32\f1 - Removed
Folder D:\WINDOWS\system32\rMa18yy - Removed

Removing Temp Files...

ADS Check:

D:\WINDOWS
No streams found.

D:\WINDOWS\system32
No streams found.

D:\WINDOWS\system32\svchost.exe
No streams found.

D:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 13:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="D:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"D:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="D:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"F:\\LimeWire\\LimeWire.exe"="F:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Documents and Settings\\Melanie\\Desktop\\LimeWire\\LimeWire.exe"="D:\\Documents and Settings\\Melanie\\Desktop\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\WINDOWS\\system32\\jtlakpvc.exe"="D:\\WINDOWS\\system32\\jtl"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - D:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 1 Nov 2007 230,400 ..SHR --- "D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe"
Fri 16 Nov 2007 72,704 ..SHR --- "D:\WINDOWS\?racle\javaw.exe"
Sun 28 Oct 2007 0 A..H. --- "D:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT1.tmp"

Finished!

=======================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:12, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\system32\o2flash.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\sm56hlpr.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\bmctl.exe
D:\Documents and Settings\Melanie\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - D:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {4B81F49F-DF9E-4A9F-829F-BD1F9F064F77} - D:\Program Files\MSN\hopeset4444.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {727706B1-7EFF-4F5B-B512-42D4CAE8A6BB} - D:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: {7f965534-b6bc-0618-eb14-03c2bb32df47} - {74fd23bb-2c30-41be-8160-cb6b435569f7} - D:\WINDOWS\system32\ikiandaq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BD2A5213-D149-4269-8F5B-5FA9C8ABF72E} - D:\Program Files\MSN\hopeset83122.dll
O2 - BHO: (no name) - {BDDF8867-4189-795B-8B2B-31E607800DC2} - D:\WINDOWS\system32\mxavivbb.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - D:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bic] D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C40.dat
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - D:\WINDOWS\system32\fftktmk.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6323 bytes

random/random
2007-11-22, 17:13
You have signs of a Keylogger on your computer.

You are strongly advised to do the following immediately:

1. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

You can see some of the passwords the keylogger stole by opening this file in notepad:

D:\SDFix\Data.txt


Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

Hide extensions for known file types
Hide protected operating system files (Recommended)

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

Show hidden files and folders

Click Apply and then click OK


Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window


REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"D:\\WINDOWS\\system32\\jtlakpvc.exe"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - D:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {4B81F49F-DF9E-4A9F-829F-BD1F9F064F77} - D:\Program Files\MSN\hopeset4444.dll
O2 - BHO: (no name) - {727706B1-7EFF-4F5B-B512-42D4CAE8A6BB} - D:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: {7f965534-b6bc-0618-eb14-03c2bb32df47} - {74fd23bb-2c30-41be-8160-cb6b435569f7} - D:\WINDOWS\system32\ikiandaq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BD2A5213-D149-4269-8F5B-5FA9C8ABF72E} - D:\Program Files\MSN\hopeset83122.dll
O2 - BHO: (no name) - {BDDF8867-4189-795B-8B2B-31E607800DC2} - D:\WINDOWS\system32\mxavivbb.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - D:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKCU\..\Run: D:\WINDOWS\?icrosoft.NET\r?gsvr32.exe
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00C40.dat
O22 - SharedTaskScheduler: doglike - {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} - D:\WINDOWS\system32\fftktmk.dll (file missing)

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

D:\Program Files\MSN\hopeset4444.dll
D:\Program Files\MSN\hopeset83122.dll
D:\WINDOWS\system32\mxavivbb.dll
D:\WINDOWS\system32\__c00C40.dat
D:\WINDOWS\system32\fftktmk.dll

And these folders:

D:\WINDOWS\?icrosoft.NET\ << ? could be any character
D:\Program Files\Video Add-on\

[b]As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic


Then post a new HijackThis log and a description of any remaining problems

harvey61
2007-11-22, 21:29
Crikey.... that was worrying.

I ran HijackThis and placed checkmarks at the points you stated, then restarted.
The only file available to delete at that point was D:\WINDOWS\?icrosoft.NET\ ? was an M
The others you specified werent listed.


=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
Adobe PDF Reader Link Helper | [Indefinido]
D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
[Indefinido] | [Indefinido]
D:\PROGRA~1\SPYBOT~1\SDHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] igfxcui : igfxdev.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:14:59, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\system32\o2flash.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\sm56hlpr.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\bmctl.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\system32\rundll32.exe
D:\Documents and Settings\Melanie\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5141 bytes


ADDITIONALLY:
I also have another program listed in Start/All Programs that I dont recognise:

OuterInfo. When I tried to Uninstall, it told me the following link was missing:

Yazzle1560OinUninstaller.exe

random/random
2007-11-23, 21:22
Outerinfo is bad
Since the uninstaller is no longer present, you can remove the entry in add/remove programs by doing this:

Open HijackThis
Click on Open the misc tools section
Click on Open uninstall manager
Select OuterInfo
Click Delete this entry

Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems

harvey61
2007-11-24, 15:01
Thanks for your time with this problem.

Listed below is the information you have asked for:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2683 (20071124)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d1b6ae096477e4429e9e7afebb7f019f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-24 12:22:21
# local_time=2007-11-24 01:22:21 (+0100, Romance Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=164378
# found=2
# scan_time=1859
D:\Documents and Settings\Melanie\Desktop\Virus Fixes\backups\backup-20071122-190235-279.dll probably a variant of Win32/Adware.PurityScan application 396955766B2E512BC3545A24BC485DBE
D:\VundoFix Backups\__c00C40.dat.bad Win32/TrojanDownloader.Agent.NSM trojan 318ED8A4DD6253A1429697F7CDE7FD67


========================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38:36, on 24/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\bmwebcfg.exe
D:\WINDOWS\system32\o2flash.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\sm56hlpr.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Telefónica Móviles\Escritorio movistar\bmctl.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Melanie\Desktop\Virus Fixes\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] D:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Escritorio movistar] "D:\Program Files\Telefónica Móviles\Escritorio movistar\EMMSN.exe" -systray
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179065018187
O17 - HKLM\System\CCS\Services\Tcpip\..\{E07CEE30-420C-4C48-A0D9-0E72845121DD}: NameServer = 194.179.1.100 194.179.1.101
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - D:\WINDOWS\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5412 bytes

========================================

I have run another Spybot scan and all the original viruses have disappeared.

random/random
2007-11-24, 18:23
Use windows explorer to find and delete these files:

D:\Documents and Settings\Melanie\Desktop\Virus Fixes\backups\backup-20071122-190235-279.dll

You can also delete smitfraudfix.exe, sdfix.exe, fix.reg vundofix.exe & show-vundo.vbs from your desktop

And these folders:

C:\Vundofix backups\
C:\Sdfix\

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Zonealarm (http://www.zonelabs.com/store/content/home.jsp)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

harvey61
2007-11-24, 18:44
Big it up to all those experts who hide behind their forum names..... dont even know where you come from Random/Random?? Thanks for spending the time fixing my virus problem - the laptop is now clean.

random/random
2007-11-24, 19:27
dont even know where you come from Random/Random??

I'm from the UK

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.