View Full Version : euaaiih.dll
hi there when i start up windows xp now... i find when i log in the message...
error loading C:\WINDOWS\system32\euaaiih.dll
the specific module could not be found....
i originally found a forum to get rid of the smitfruad-c toolbar888 trogan.. or what ever ... name of post smitfruad-c toolbar888
ran combofix.exe and vundofix.exe and followed ILLUKKA's instructions to remove a whole lot of junk using avgfree etc... my computer starts up normally and alot faster now with those removed... however i get a blasted error message stating the above when i log in....
is there any way of getting euaaiih.dll back or is a complete windows install required...
its the only error message that comes up on startup...
oh and lastly any way of getting rid of the windows xp security warning (your computer may be infected with harmful or unwanted software!) in the lower right corner... it wants me to download some winxpantivirus software which i tried but doesnt work...
thanks for ya time... reply or email me.
jason....
Combo:
Jason - 06-11-13 18:25:39.74 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Program Files\Mozilla Firefox"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{348E261B-0706-1033-0806-020205220001}
C:\Program Files\Common Files\{048E261B-0706-1033-0806-020205220001}
((((((((((((((((((((((((((((((( Files Created from 2006-10-13 to 2006-11-13 ))))))))))))))))))))))))))))))))))
2006-11-13 16:28 94,720 --a------ C:\WINDOWS\system32\xwxqbrn.dll
2006-11-13 16:28 72,704 --a------ C:\WINDOWS\system32\igjsbpc.dll
2006-11-13 16:28 59,392 --a------ C:\WINDOWS\system32\drvxul.dll
2006-11-13 16:28 40,973 ---hs---- C:\WINDOWS\system32\opnlkjj.dll
2006-11-13 14:45 59,392 --a------ C:\WINDOWS\system32\drvlur.dll
2006-11-13 14:45 40,973 ---hs---- C:\WINDOWS\system32\vtuvsss.dll
2006-11-13 13:18 77,824 --a------ C:\WINDOWS\system32\cfltygd.dll
2006-11-13 13:15 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2006-11-13 13:09 247,961 --a------ C:\WINDOWS\system32\hgddd.dll
2006-11-13 13:03 94,208 --a------ C:\WINDOWS\system32\euaaiih.dll
2006-11-13 13:03 72,704 --a------ C:\WINDOWS\system32\xkblrhg.dll
2006-11-13 13:03 40,973 ---hs---- C:\WINDOWS\system32\ssqrpmm.dll
2006-11-13 13:03 15,872 --a------ C:\WINDOWS\system32\winhkz32.dll
2006-11-13 12:52 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-01 09:51 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2006-11-01 09:51 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2006-11-01 09:51 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2006-11-01 09:51 266,880 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2006-11-01 09:51 116,176 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2006-11-01 09:51 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-13 18:27 -------- d-------- C:\Program Files\Common Files
2006-11-13 18:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-13 18:07 -------- d---s---- C:\Documents and Settings\Jason\Application Data\Microsoft
2006-11-13 17:36 -------- d-------- C:\Documents and Settings\Jason\Application Data\Help
2006-11-13 13:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-13 13:57 -------- d-------- C:\Program Files\EA GAMES
2006-11-13 13:27 -------- d-------- C:\Program Files\VirusBursters
2006-11-13 13:15 -------- d-------- C:\Documents and Settings\Jason\Application Data\WinAntiSpyware 2006
2006-11-13 13:08 -------- d-------- C:\Program Files\WinRAR
2006-11-13 13:00 -------- d-------- C:\Program Files\Common Files\EasyInfo
2006-11-13 12:50 -------- d-------- C:\Program Files\D-Tools
2006-11-10 01:01 -------- d-------- C:\Documents and Settings\Jason\Application Data\Macromedia
2006-11-01 09:58 -------- d-------- C:\Program Files\Java
2006-11-01 09:51 -------- d-------- C:\Program Files\Analog Devices
2006-11-01 09:50 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-01 09:50 -------- d-------- C:\Program Files\ATI Technologies
2006-10-18 08:55 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-06 14:35 -------- d-------- C:\Program Files\Common Files\Java
2006-10-06 14:17 -------- d-------- C:\Program Files\Messenger
2006-10-06 14:17 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 14:16 -------- d-------- C:\Program Files\Windows Media Player
2006-10-06 13:35 -------- d-------- C:\Program Files\Outlook Express
2006-10-06 13:35 -------- d-------- C:\Program Files\Common Files\System
2006-09-15 17:08 -------- d-------- C:\Documents and Settings\Jason\Application Data\Talkback
2006-09-15 17:02 -------- d-------- C:\Documents and Settings\Jason\Application Data\Mozilla
2006-09-01 01:03 62 --ahs---- C:\Documents and Settings\Jason\Application Data\desktop.ini
2006-08-31 17:52 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-08-31 17:52 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-08-31 14:13 0 -rahs---- C:\MSDOS.SYS
2006-08-31 14:13 0 -rahs---- C:\IO.SYS
2006-08-31 14:13 0 --a------ C:\CONFIG.SYS
2006-08-31 14:13 0 --a------ C:\AUTOEXEC.BAT
2006-08-26 04:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 01:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 22:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TrackPointSrv"="tp4mon.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"euaaiih.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\euaaiih.dll,cuoeydf"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvxul.dll,startup"
"xwxqbrn.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xwxqbrn.dll,kewincd"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrpmm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhkz32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Low Battery Alarm Program.job
Completion time: 06-11-13 18:28:44.60
C:\ComboFix.txt ... 06-11-13 18:28
Vundo:
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 6:15:27 PM 11/13/2006
Listing files found while scanning....
C:\WINDOWS\system32\euaaiih.dll
C:\WINDOWS\system32\igjsbpc.dll
C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\xkblrhg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\euaaiih.dll
C:\WINDOWS\system32\euaaiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\igjsbpc.dll
C:\WINDOWS\system32\igjsbpc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\winhkz32.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xkblrhg.dll
C:\WINDOWS\system32\xkblrhg.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 6:42:46 PM 11/13/2006
Listing files found while scanning....
C:\WINDOWS\system32\winhkz32.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\winhkz32.dll Has been deleted!
Performing Repairs to the registry.
Done!
so the dll windows wants ur program deleted... should i place it back in system32 or what... im running a panda scan and then hijackthis log now... for u to view....
next post will have that
Logfile of HijackThis v1.99.1
Scan saved at 11:27:20 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {295DCD8D-82C1-1194-B4BE-0167E97EBF0F} - C:\WINDOWS\system32\igjsbpc.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C2D0560-8A85-A224-82C3-0975842C7AE7} - C:\WINDOWS\system32\xkblrhg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {CB911948-0E51-4851-8E9E-D8C5FACB9779} - C:\WINDOWS\system32\urqqo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\akvhqfax.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Panda:
Incident Status Location
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSAdd-in\VSAdd-in.dll
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.2o7.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[www.drivecleaner.com/.freeware/]
Spyware:Cookie/Virusbursters Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\3dpkzlwr.default\cookies.txt[www.virusbursters.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt[.ads.pointroll.com/]
Adware:Adware/UltimateCleaner Not disinfected C:\Program Files\Ultimate Cleaner\app.exe
Adware:Adware/UltimateCleaner Not disinfected C:\Program Files\Ultimate Cleaner\IeSafe.exe
Adware:Adware/VirusBurst Not disinfected C:\Program Files\VirusBursters\VirusBursters.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\cfltygd.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\opnlkjj.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\ssqrpmm.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\upsuqtgj.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\vtuvsss.dll
Logfile of HijackThis v1.99.1
Scan saved at 12:23:05 AM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {295DCD8D-82C1-1194-B4BE-0167E97EBF0F} - C:\WINDOWS\system32\igjsbpc.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C2D0560-8A85-A224-82C3-0975842C7AE7} - C:\WINDOWS\system32\xkblrhg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CB911948-0E51-4851-8E9E-D8C5FACB9779} - C:\WINDOWS\system32\urqqo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\akvhqfax.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [euaaiih.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\euaaiih.dll,cuoeydf
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxul.dll,startup
O4 - HKLM\..\Run: [xwxqbrn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xwxqbrn.dll,kewincd
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: urqqo - C:\WINDOWS\system32\urqqo.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Hi jasonmc and welcome to Safer Networking Forums :)
You got some infections there...
From now on, please follow my instructions carefully...
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with the contents of C:\VundoFix.txt
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
didnt know if u wanted me to run vundo again but i guess u did... so i did...
:angel: SMIT LOG:
SmitFraudFix v2.120
Scan done at 11:32:57.23, Tue 11/14/2006
Run from C:\Documents and Settings\Jason\Desktop\New Folder\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\drvxul.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jason\FAVORI~1
C:\DOCUME~1\Jason\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\VirusBursters\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
:angel: VUNDO LOG:
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 6:15:27 PM 11/13/2006
Listing files found while scanning....
C:\WINDOWS\system32\euaaiih.dll
C:\WINDOWS\system32\igjsbpc.dll
C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\xkblrhg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\euaaiih.dll
C:\WINDOWS\system32\euaaiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\igjsbpc.dll
C:\WINDOWS\system32\igjsbpc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\winhkz32.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\xkblrhg.dll
C:\WINDOWS\system32\xkblrhg.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 6:42:46 PM 11/13/2006
Listing files found while scanning....
C:\WINDOWS\system32\winhkz32.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\winhkz32.dll
C:\WINDOWS\system32\winhkz32.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 11:41:17 AM 11/14/2006
(NEW SCAN after fraudfix)
Listing files found while scanning....
C:\WINDOWS\system32\urqqo.dll
C:\WINDOWS\system32\oqqru.ini
C:\WINDOWS\system32\oqqru.bak1
Beginning removal...
Attempting to delete C:\WINDOWS\system32\oqqru.ini
C:\WINDOWS\system32\oqqru.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
found C:\WINDOWS\system32\urqqo.dll
vundo didnt delete that dunno if it meant to not...
u'll probably find that to...
Whats next master
thanks jason
Hi again :)
Please post a fresh HijackThis log :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 7:36:10 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {295DCD8D-82C1-1194-B4BE-0167E97EBF0F} - C:\WINDOWS\system32\igjsbpc.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C2D0560-8A85-A224-82C3-0975842C7AE7} - C:\WINDOWS\system32\xkblrhg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CB911948-0E51-4851-8E9E-D8C5FACB9779} - C:\WINDOWS\system32\urqqo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\akvhqfax.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [euaaiih.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\euaaiih.dll,cuoeydf
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxul.dll,startup
O4 - HKLM\..\Run: [xwxqbrn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xwxqbrn.dll,kewincd
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: urqqo - C:\WINDOWS\system32\urqqo.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Hi again, we'll continue :)
I'll try to answer you as soon as possible but these logs take their time. So please be patient :)
We'll remove Ultimate Cleaner and WinAntiVirus since these have a suspicious reputation. More here (http://www.spywarewarrior.com/rogue_anti-spyware.htm).
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Then, make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:
WinAntiVirus
Ultimate Cleaner
VSAdd-in
or similar entries
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {295DCD8D-82C1-1194-B4BE-0167E97EBF0F} - C:\WINDOWS\system32\igjsbpc.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {5C2D0560-8A85-A224-82C3-0975842C7AE7} - C:\WINDOWS\system32\xkblrhg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CB911948-0E51-4851-8E9E-D8C5FACB9779} - C:\WINDOWS\system32\urqqo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\akvhqfax.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [euaaiih.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\euaaiih.dll,cuoeydf
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxul.dll,startup
O4 - HKLM\..\Run: [xwxqbrn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xwxqbrn.dll,kewincd
O4 - HKLM\..\Run: C:\Program Files\Ultimate Cleaner\App.exe
O20 - Winlogon Notify: urqqo - C:\WINDOWS\system32\urqqo.dll (file missing)
Please run Killbox.
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\xwxqbrn.dll
C:\WINDOWS\system32\drvxul.dll
C:\WINDOWS\system32\opnlkjj.dll
C:\WINDOWS\system32\drvlur.dll
C:\WINDOWS\system32\vtuvsss.dll
C:\WINDOWS\system32\xwxqbrn.dll
C:\WINDOWS\system32\cfltygd.dll
C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\ssqrpmm.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "Delete on Reboot".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\VSAdd-in
C:\Program Files\Ultimate Cleaner
C:\Documents and Settings\Jason\Application Data\WinAntiSpyware 2006
C:\Program Files\WinAntiSpyware 2006
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
[u]Warning : running option #2 on a non infected computer will remove your Desktop background.
Restart to the safe mode again.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
- contents of C:\Rapport.txt
Um dunno if killbox worked cause i had no box come up asking to delete the files but the heres kill box log:
Pocket Killbox version 2.0.0.648
Running on Windows XP as Jason(Administrator)
was started @ Tuesday, November 14, 2006, 8:25 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\xwxqbrn.dll
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\drvxul.dll
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\opnlkjj.dll
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\drvlur.dll
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\vtuvsss.dll
# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\cfltygd.dll
# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\hgddd.dll
# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\ssqrpmm.dll
I Rebooted @ 8:26:58 PM
Killbox Closed(Exit) @ 8:26:58 PM
__________________________________________________
NEXT
smitfruad log:
SmitFraudFix v2.120
Scan done at 20:37:32.13, Tue 11/14/2006
Run from C:\Documents and Settings\Jason\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\Jason\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Still got ATF CLEANER TO GO... post that shortly
So far it is looking good :)
Please post the HijackThis log and AVG Anti-Spyware logs when you're ready :bigthumb:
Im sorry to say. i acidently clicked apply all changes..before selecting quarenten certain things only had delete... i dunno what to do now... anyways log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:44:12 PM 11/14/2006
+ Scan result:
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP18\A0022465.dll -> Adware.Agent : Cleaned with backup (quarantined).
HKU\S-1-5-21-220523388-839522115-1060284298-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP16\A0022116.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP16\A0022135.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP17\A0022264.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP17\A0022269.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP17\A0022270.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP14\A0021081.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP14\A0021055.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP14\A0021054.exe -> Dropper.Small.asx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP14\A0021075.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.10:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.46:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.47:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.48:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.44:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.69:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.70:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.59:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.60:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.53:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.54:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.55:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.56:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.57:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.21:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.24:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.25:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\1fwci9an.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.36:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.37:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.38:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.39:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.40:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.49:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.51:C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\pugmqrte.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP17\A0022312.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP16\A0022119.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP16\A0022120.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP16\A0022121.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A3576016-9D3E-423F-9741-023822A764C0}\RP17\A0022275.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
::Report end
And a new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:51:37 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks for your help computer seems to be running fine ish....
And my desktop has dissapeared... dam u lol
get back to me
Hi again, it is looking clean now :)
The computer is running fine ?
This time nothing bad got removed when you hitted the Apply All actions in AVG...So it is ok...
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Then you should remove the old version of Java Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
yeah the computer seems to be running fine aye.. dunno if avg spyware is meant to have the gray icon with the s inside... or is it meant to be colourful like avg antivirus icon in the task tray.... ?
thanks for all ur help tho
jason
i fixed the avg spyware thing... buy activeating.. residual shield and auto updates... so i should be fine now.. computer running fast as ... trying to download the things u said to and install them ... taking its time
thanks again
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: