View Full Version : Virtumonde, Microsoft.WindowsSecurityCenter.FirewallBypass, and Right Media Issues...
First off. If you can please direct me how to post a log here as I am a newbie :)
I was having issues with Virtumonde coming up on the SpyBoy Search and Destroy scan. Different versions of Virtumonde would come up. I think, and I only think I cured that issue with numerous scanning of Spybot Search and Destroy. Now the newest scan the Virtumonde didnt come up.
What has still been coming up on the scans which I can not get rid of, no matter how hard I try is "Microsoft.WindowsSecurityCenter.FirewallBypass"
When I look under details for the WindowsSecurityCenter issues. This comes up: Hkey_Local_Machines\System\Controlset001\Services\SharedAccess...I can not scroll anymore to see anymore details.
Also: Hkey_Local_Machines\System\Controlset002\Services\SharedAccess
In addition to the above I can not get rid of this in the Spybot Search and Destroy scan: "Right Media"
With all of these issues my comuter is sluggish and my anti virus software is going crazy. It keeps popping up with viruses constantly. I read part of the issue of Virtumonde is that is gives the antivirus softwares false viruses to so the software makes false alerts. So, I think that is the reason my antivirus software is going crazy lol.
PLEASE, OH PLEASE, Help me :)
pskelley
2008-11-08, 15:25
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Most often the reason Spybot S&D has issues is because it is not up to date and full immunized. I'll post this information for your first.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
Microsoft.WindowsSecurityCenter.FirewallBypass >>> see this:
http://forums.majorgeeks.com/showthread.php?t=121531
How to post a HJT log:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Make sure you have followed all of the above directions before you post the HJT log.
Thanks
Duplicate post removed, please be sure to hit the button to post only once, sometimes It takes a few moments.
Thanks
I read through all the material and I believe I did everything you wanted.
Here is the log and thank you in advance for your next reply and P.S. In addition to everything else this virus or whatever it is is also undoing my automatic updates for Windows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:05 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKLM\..\Run: [28a16726] rundll32.exe "C:\WINDOWS\system32\kuzeduhu.dll",b
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\peluloge.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll c:\windows\system32\peluloge.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\peluloge.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\peluloge.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8855 bytes
pskelley
2008-11-08, 17:37
Thanks for returning your HJT log. I need to start by collecting some information.
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.tx
Thanks
I think I did what you wanted. Is this what you were looking for?:
SmitFraudFix v2.373
Scan done at 12:47:12.54, Sat 11/08/2008
Run from C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jack Berry
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JACKBE~1\LOCALS~1\Temp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jack Berry\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JACKBE~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"
[HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\peluloge.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="c:\windows\system32\peluloge.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL C:\\WINDOWS\\system32\\keyutova.dll c:\\windows\\system32\\jayajuho.dll c:\\windows\\system32\\peluloge.dll"
"LoadAppInit_DLLs"=dword:00000001
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 12.207.235.29
DNS Server Search Order: 12.207.232.41
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2CD189ED-34C8-440D-B68F-ABBDC5548D62}: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2CD189ED-34C8-440D-B68F-ABBDC5548D62}: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2CD189ED-34C8-440D-B68F-ABBDC5548D62}: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=12.207.235.29 12.207.232.41 192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-11-08, 19:59
Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infected files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks
I open up the Smitfraudfix.exe and double click it and all that comes up is a black "C:\Windows\system32\cmd.exe" screen, no options at all to select anything. I even tried to delete it and reinstall it in safe mode but the same outcome. Whats wrong now?
Hey buddy.
I see your on now, any idea why the SmitfraudFix is not working for me?
pskelley
2008-11-08, 22:59
Not sure Nicolas, but the first part only finds the infection, we need to get it to run to clean this part of your infection. Make sure you are reading the directions very carefully, what I suggest is that you delete the first copy of Smitfraudfilx and download it again. Close your Antivirus program just until you get it download (sometimes it will block a needed file) then give it another try. This time just run it from the Desktop and there is no need to run the search function, go direct to the clean function. If you can't do it in safe mode, do it in normal mode.
Take your time, follow the direction, we will get this to work and we will get your computer clean.
Thanks...Phil
I have been trying for hours and I can not get it to work.
pskelley
2008-11-09, 00:21
Smitfraudfix is a much used malware removal tool, it will not get easier.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I see your back on. I am begging you. I am going nuts here. With my personality I will unfortunately not stop trying until I get this to work. Please help me
Thanks. I will try your new suggestion. RIGHT NOW....
Nope. Will not open.......
trying to download something from microsoft that was suggested from one of the links you sent me
pskelley
2008-11-09, 00:47
You need to slow down before you skrew up your computer.
Nope. Will not open.......
What will not open?
trying to download something from microsoft that was suggested from one of the links you sent me
The only thing suggested in the links is Recovery Console and it needs combofix to be running to install it.
:sad:
I double click on "combofix.exe" and it goes through the motion like it is starting up then nothing happends the screen just stays on my main desktop screen. So this combo fix is also not working for me
pskelley
2008-11-09, 01:03
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Ok, the "Malwarebytes' Anti-Malware" software worked, thankfully. Here is the results:
Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 3
11/8/2008 8:36:11 PM
mbam-log-2008-11-08 (20-36-11).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 179760
Time elapsed: 1 hour(s), 20 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\peluloge.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28a16726 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01302017216340612770480631125782 (Rogue.Antivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suvolakoji (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\peluloge.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\peluloge.dll -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\kuzeduhu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uhudezuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\peluloge.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\D8K31ky0.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\l7vtgRIl.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vobuturi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
New HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:51, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\peluloge.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12098 bytes
pskelley
2008-11-09, 12:55
Thanks fore returning the MBAM log and it did remove some junk but you are still infected. I strongly suggest you stay offline when not working of these problems until we kill all of the junk.
It is likely you have a rootkit infection: http://en.wikipedia.org/wiki/Rootkit
which is blocking the tools we are trying to use. I would like to try to run Smitfraudfix again, make sure you delete any old copies and download it new from the instructions. There is no need to run the "Search" function, move to the instructions in my post #7 once you have it installed on the Desktop and follow those direction if you can, posting: the C:\rapport.txt and a new HJT log.
I also sent you a private message and would like to be sure you saw it. You want to watch your junk mail during these session, the filters do not know Safer Networking email and may assume it is junk.
Thanks...Phil
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
Unless its some kind of trick, I believe I deleted everything from Smitfraudfix and reinstalled it but still nothing.
pskelley
2008-11-09, 19:22
First instructions:
I suggest you keep this computer offline except when troubleshooting, the junk may download more.
I need you to read the directions carefully, when I request information, you need to provide it.
I also sent you a private message and would like to be sure you saw it. You want to watch your junk mail during these session, the filters do not know Safer Networking email and may assume it is junk.
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
I am not yet sure what is going on with this computer, due mostly to the fact you have been able to run only one tool so far and information I should have by now, I do not. You must control the computer until we finish and there must be no routine use.
Let's see if we can use Spybot S&D to check that Hosts files, please do this:
Open Spybot S&D > click on Mode and make sure Advanced Mode is checked > Left column choose Tools > Look for Hosts file and click "Take a look at your hosts list. Near the top is a green cross with "Add Spybot-S&D hosts list. Click on that, it will take a few minutes to refresh the list and it will replace anything corrupted with a clean Hosts list.
Let's give combofix another try, refer back to my post #12.
Let me know how it goes, hopefully you will post a combofix report.
I am interested in the performance of the computer at this point also.
Thanks
First instructions:
I need you to read the directions carefully, when I request information, you need to provide it.
I am not yet sure what is going on with this computer, due mostly to the fact you have been able to run only one tool so far and information I should have by now, I do not. You must control the computer until we finish and there must be no routine use.
Let's see if we can use Spybot S&D to check that Hosts files, please do this:
Open Spybot S&D > click on Mode and make sure Advanced Mode is checked > Left column choose Tools > Look for Hosts file and click "Take a look at your hosts list. Near the top is a green cross with "Add Spybot-S&D hosts list. Click on that, it will take a few minutes to refresh the list and it will replace anything corrupted with a clean Hosts list.
Let's give combofix another try, refer back to my post #12.
Let me know how it goes, hopefully you will post a combofix report.
I am interested in the performance of the computer at this point also.
Thanks
"I suggest you keep this computer offline except when troubleshooting, the junk may download more."
What do you mean by that? I have the computer in safe mode with networking JUST so I can view this forum and try to download the things you are requesting.
I also got your Private Message and I understand that your only on here early in the morning to assist people
No. I did what you wanted with spybot search and destroy. That worked fine besides it did not take a couple of minutes like you said it only took a couple of seconds, part of virus, I dont know. Then I tried ComboFix.exe and same result. It starts to scroll like its about to open then nothing it goes right back to my main desktop screen.
pskelley
2008-11-09, 20:06
It is not wise to be online with "safe mode in networking" keep in mind that none of your security programs are running.
I asked this:
I am interested in the performance of the computer at this point also.
I am not sure how much I can do since you can not run any tools. I am beginning to believe you have Windows problem other than malware and the you may want to consider a reformat:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
You could try a repair or reinstall of the Operating system, but with a reformat, you would be assured of a clean computer.
Thanks
The performance is the same.
What should I be in? Just Safe mode?
I was just going to bring it to GeekSquad...Not a good idea since they most likely going to uninstal and reinstal the operating system?
What does reformating do? Does it say that in the links?
I am also rerunning the "Malwarebytes' Anti-Malware" software and see whay happends, so far it says "objects infected" is 12. I am only running drive C.
pskelley
2008-11-09, 20:24
I may have suggested you try combofix in safe mode, and Smitfraudfix "Clean" function is:
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
at no time did I suggest safe mode with networking. But none of that is going to change the information I posted concerning the computer and the difficulty running the basic malware tools.
Thanks
Not that this is going to help any but here is the NEW mbam log and the newhjt log:
Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 3
11/9/2008 2:19:26 PM
mbam-log-2008-11-09 (14-19-26).txt
Scan type: Full Scan (C:\|)
Objects scanned: 119693
Time elapsed: 23 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\vunazimu.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28a16726 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suvolakoji (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\vunazimu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\vunazimu.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\dopejujo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojujepod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wadubebe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebebudaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vunazimu.dll (Trojan.Agent) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:25:17, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\findstr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\vunazimu.dll",a
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12111 bytes
pskelley
2008-11-09, 20:48
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe <<< please delete Smitfraudfix from the computer
C:\WINDOWS\system32\cmd.execf <<< not sure what this is, here is some information:
http://www.systemlookup.com/Startup/2031.html
We will remove that file.
Remove (delete) combofix from the computer
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\vunazimu.dll",a
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\fedoniko.dll
C:\WINDOWS\system32\cmd.execf
c:\windows\system32\vunazimu.dll
C:\WINDOWS\system32\vobuturi.dll
C:\WINDOWS\system32\keyutova.dll
c:\windows\system32\jayajuho.dll
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Make sure you restart the computer:
6) Give this scan a run, it does not remove anything, but it may show the hidden files.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
Thanks
I did the "Kaspersky" and the HJT scans like you wanted.
But, first I want to update you on what you wanted me to delete "4) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\fedoniko.dll
C:\WINDOWS\system32\cmd.execf
c:\windows\system32\vunazimu.dll
C:\WINDOWS\system32\vobuturi.dll
C:\WINDOWS\system32\keyutova.dll
c:\windows\system32\jayajuho.dll"
-the "cmd.execf, I got rid off (deleted)
-I could not find in the above process these three: "Vunazimu.dll", "Vobuturi.dll", and "Jayajuho.dll"
These two I found BUT COULD NOT DELETE..."Fedoniko.dll", and "Keyutova.dll"
When I tried to delete them both stated this message: "Can not delete fedoniko or keyutova: Access is denied" "Make sure the disk is not full or write-protected and that the file is not currently in use."
Here is the results to the "Kaspersky" and the HJT scans:
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 20:42:17
Records in database: 1377092
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 119644
Threat name 6
Infected objects 70
Suspicious objects 0
Duration of the scan 04:43:24
File name Threat name Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Jack Berry\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\l7vtgRIl.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1
E:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
E:\Documents and Settings\Jack Berry\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe Infected: not-a-virus:Downloader.Win32.ImLoader.g 1
E:\olddrivedata\jack\Local Settings\Temp\~347074.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~352740.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~368798.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~375387.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~376432.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~386889.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~387262.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~388596.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~391220.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~394118.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~398853.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~405523.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~405761.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~410112.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~411627.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~412371.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~413734.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~414141.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~414782.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~416868.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~429814.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~429837.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~435686.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~443502.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~446655.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~531206.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~537522.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~542897.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~556289.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~564668.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~567388.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~569032.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~610112.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~610619.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~625954.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~653116.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~660856.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~663843.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~672377.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~684737.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~688701.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~696014.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~705439.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~709776.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~723572.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~743155.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~748103.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~754210.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~757236.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~781181.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~791174.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~814048.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~842750.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~851219.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~855793.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~856115.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~861219.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~881529.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~891299.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~921074.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\olddrivedata\jack\Local Settings\Temp\~927816.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1
E:\olddrivedata\jack\Local Settings\Temp\~950425.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1
E:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:18:12, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Jack Berry\Local Settings\Temp\jkos-Jack Berry\binaries\ScanningProcess.exe
C:\Documents and Settings\Jack Berry\Local Settings\Temp\jkos-Jack Berry\binaries\ScanningProcess.exe
C:\WINDOWS\system32\l7vtgRIl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\wevusavi.dll",a
O4 - HKLM\..\Run: [28a16726] rundll32.exe "C:\WINDOWS\system32\juzetoja.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1226269825192&h=e520203f917b0568ab92768b04e97866/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\keyutova.dll c:\windows\system32\wevusavi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wevusavi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wevusavi.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11845 bytes
pskelley
2008-11-10, 14:38
Thanks for the feedback, you said:
These two I found BUT COULD NOT DELETE..."Fedoniko.dll", and "Keyutova.dll"
Understand that they are bad files, may be causing the problems and must be deleted before you will be clean. Did you consider deleting then in Safe Mode when they would not have been running? Let's move on and do this one step at a time to avoid any confusion. I would appreciate it if you keep me aware of the computer's performance each time you post.
Kaspersky Online Scan (KOS)
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\ <<< delete that folder in RED and contents
C:\Documents and Settings\Jack Berry\SmitfraudFix\ <<< delete that folder in RED and the contents
C:\WINDOWS\system32\l7vtgRIl.exe <<< delete that file, do it in safe mode if necessary (added this to Avenger script in case you have trouble with it)
E:\ drive?? Delete all files in RED
E:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe ------> AdWare.Win32.SearchIt.t 1
E:\Documents and Settings\Jack Berry\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe ------> Downloader.Win32.ImLoader.g 1
E:\Program Files\IncrediMail\bin\IncrediMail_Install.exe ------> Downloader.Win32.ImLoader.g 1
E:\olddrivedata\jack\Local Settings\Temp\ <<< delete everything in that folder in RED
Delete these files, do it in safe mode if need be, they must go.
C:\WINDOWS\system32\fedoniko.dll
C:\WINDOWS\system32\vobuturi.dll
c:\windows\system32\wevusavi.dll
C:\WINDOWS\system32\juzetoja.dll
C:\WINDOWS\system32\keyutova.dll
There are tools to help but you can't seem to run any of them. If you have trouble deleting those files, you can give this a try.
Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
The Avenger must be run from a user account with administrator privileges,
and ONLY works on Windows 2000 and XP, and only on 32-bit versions!
Copy all the text contained in the code box below to your Clipboard.
Files to delete:
C:\WINDOWS\system32\fedoniko.dll
C:\WINDOWS\system32\vobuturi.dll
c:\windows\system32\wevusavi.dll
C:\WINDOWS\system32\juzetoja.dll
C:\WINDOWS\system32\keyutova.dll
C:\WINDOWS\system32\l7vtgRIl.exe
The above script is for this user only, if you need help please start your own thread.
Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.
After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of the file into your reply along with a fresh HJT log.
Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.
When you are finished, I need to see the results of a new KOS, the log file from Avenger and a new HJT log.
Thanks
The Avenger: the directions you pointed out for me to use for this software is not there:
Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.
I do not see any of these....When I start up Avenger I see a white box and above the box it says "Input Script here", under the white box to the right it says "Execute" and under the white box it says "Scan for rootkits" and that option is check marked, and it also says "Automatically disable any rootkits found" and that option is not checked marked........
Also, FYI: "fedoniko.dll" I was able to delete in safe mode.
"Vobuturi.dll" can not find that file
""Wevusavi.dll" I was in safe mode but I could still not delete it.
"juzetoja.dll" I was able to delete in safe mode
"Keyutova.dll" I was in safe mode but I could still not delete.
In addition, when I started up the computer 2 boxes came on right when it came to my desktop screen. The first one stated "Error Loading juzetoja.dll" and the other box stated "Error loading Vobuturi.dll" with an option of "ok" for me to get rid of the boxes.
pskelley
2008-11-10, 19:21
Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) <<< it is therCopyright © Swandog46
http://swandog46.geekstogo.com/avenger.zip <<< there
http://swandog46.geekstogo.com/avenger.zip <<< there
all links work?
You have been able to run one tool out of all I provided and they are all routine tools that are used daily by many, many folks. I am beginning to believe the problem is not the tools. I am suggesting you ask someone with more computer experience to lend a hand or that you take the computer to qualified technician.
Thanks
I don't know how it is me when I am doing everything you instructed and the SmitFraudFix worked the first time but since then it is not allowing me to do so.
Do you know if someone else can take over my file before I give up and bring it to someone.
Also, the Avenger is opening up fine it is just not going to the screen that you are describing it is going to a different screen.
pskelley
2008-11-11, 00:59
Anyone else would have the same problem getting the tools run that I am having. I suggest you take the computer to a local technician or reformat yourself if you can follow the instructions. Let's face facts, you could not even secure the computer in your own home.
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
Thanks for your concern about "my" computer but my computer is perfectly fine thank you. Never had a virus or spam. The computer I am trying to fix is my mothers computer.
Maybe someone else could help me get around this "rootkit infection" that you stated I might have and could be the reason those softwares you are sending me might not be working.