virtumonde problems

[robbie2527]

Hello, have a had a problem for a week or so now but only today realised that S&D was not effective at removing this problem and that this forum existed, any help therefore would be greatly apreciated, HJT and Kaspersky logs attached:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:20:06, on 05/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\PhnxCDSvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [70160a15] rundll32.exe "C:\WINDOWS\system32\mkcjrpbq.dll",b
O4 - HKLM\..\Run: [BM73253989] Rundll32.exe "C:\WINDOWS\system32\hdrfdhtl.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

--
End of file - 8264 bytes

[robbie2527]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 05, 2008 11:06:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/03/2008
Kaspersky Anti-Virus database records: 599797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 85085
Number of viruses found: 17
Number of infected objects: 130
Number of suspicious objects: 0
Duration of the scan process: 00:59:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Andrew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Desktop\BTBBBasicHelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Documents and Settings\Andrew\Desktop\BTBBBasicHelpInstall.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Andrew\Desktop\BTBBBasicHelpInstall.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Temp\~DF9E09.tmp Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\05YV0H6J\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\8POXAFSP\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\93VZX9GE\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\93VZX9GE\ptch[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\AVIDCXG9\1002[1].exe Infected: not-a-virus:AdWare.Win32.E404.h skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\AVIDCXG9\CA5CIOKO Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\EHTU7YXG\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\KDUJ8LYB\CARED75Q Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\MP8ZMD25\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\MP8ZMD25\is[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\TCWNX58L\CA5O47XT Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Andrew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andrew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\41YZC9QJ\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\41YZC9QJ\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\4LEFO9YN\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\6JM5UVQP\CA49WX4R Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\6JM5UVQP\installadcleaner[1].cab/UADC_0001_D10M0210.exe Infected: not-a-virus:Downloader.Win32.AdvancedCleaner.c skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\6JM5UVQP\installadcleaner[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\8FP3AEV9\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\R6KVR1OH\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\TJ3JL5CE\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\U9GTMBQL\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\X7ZJP5CE\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\YPL6NAT8\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BT Broadband Basic Help\log\mpbtn.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\monitor.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\repair.log Object is locked skipped
C:\Program Files\VirusHeat 3.9\VirusHeat 3.9.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.o skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033995.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033996.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033997.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034006.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034007.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034008.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034022.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034023.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034024.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034030.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034031.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034032.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034044.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034045.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034046.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034071.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034072.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034073.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034080.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034081.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034082.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034093.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034094.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034095.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034114.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034115.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034116.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034123.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034124.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034125.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034131.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034132.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034133.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034170.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034171.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034172.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034180.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034187.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034188.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034189.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034195.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034196.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034197.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034201.exe Infected: Trojan-Downloader.Win32.Zlob.hxe skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034202.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034205.exe Infected: Trojan-Downloader.Win32.Zlob.hwr skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034206.dll Infected: Trojan-Downloader.Win32.Zlob.hxd skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034207.exe Infected: Trojan-Downloader.Win32.Zlob.hxf skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP509\A0035336.dll Infected: not-a-virus:AdWare.Win32.E404.i skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP509\A0035337.dll Infected: not-a-virus:AdWare.Win32.E404.i skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP509\A0035338.dll Infected: not-a-virus:AdWare.Win32.E404.i skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP510\A0035369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP511\A0035384.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP511\A0035405.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP512\A0035427.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP514\A0035471.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP514\A0035472.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP514\A0035473.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP514\A0035474.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP515\A0035498.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035519.dll Infected: Trojan-Downloader.Win32.Agent.jbo skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035543.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035544.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035545.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\change.log Object is locked skipped
C:\VundoFix Backups\jkkjj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\nphqbyxg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uhpnegcs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uldkgugw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xxyawwt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ahtqsbom.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ailwrqkb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\benajyyd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\cabfgshx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dmukb.exe Infected: Trojan.Win32.Small.fb skipped

Continued...

[robbie2527]

C:\WINDOWS\system32\dvpgukdu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\eeanodqb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ejijumtp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\eskslxne.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\fggfknti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\fgmrcjtm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gavgsdgl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hdrfdhtl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\hmrfjaax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\hnuhahlg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\kcumssxa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\krirhpbr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\lbdimbst.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\lejtrieb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mjcwfdab.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mkcjrpbq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mljgd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mnqblngm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ohotudne.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\opnmkjg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\owafiivd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pfccolwj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rotkpcnt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\thwhpqti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\uchcopvt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ulnxssvl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xsmbojcx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xxyawwt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are VERY infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. I am counting at least three different infections including being hacked by these Ukrainians:
http://whois.domaintools.com/85.255.113.90
If you wish to clean this computer, do not expect fast or easy, and do stay offline except when you are troubleshooting here to deny the hackers access.

1) See this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\jre1.5.0_03\ <<< Java is out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove programs.

2) C:\Program Files\Microsoft AntiSpyware\ <<< obsolete program (now Windows Defender) uninstall it in Add Remove programs
(do not download anything new I do not ask for at this point)

3) I need information before we start, follow these directions.

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm +

Post only the C:\rapport.txt

Thanks

*** You have a very infected System Restore, do not use System Restore, we will clean that later.

[robbie2527]

Thanks for helping, completed all three tasks, SmitFraud report as follows:

SmitFraudFix v2.300

Scan done at 18:23:30.81, 07/03/2008
Run from C:\Documents and Settings\Andrew\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\PhnxCDSvr.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andrew


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andrew\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Andrew\FAVORI~1

C:\DOCUME~1\Andrew\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !
C:\Program Files\VirusHeat 3.9\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdria.exe"

kdria.exe detected !


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA PCI 10/100Mb Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.255.113.90
DNS Server Search Order: 85.255.112.74

HKLM\SYSTEM\CCS\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer=85.255.113.90 85.255.112.74
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer=85.255.113.90 85.255.112.74
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[pskelley]

Thanks for returing your information, let's proceed like this.

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(wait until you finish to post the reports)


2) Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt from Smitfraudfix, the report from Fixwareout and a new HJT log.

Thanks

[robbie2527]

Ok managed to complete part 1) and the reports are attached however I was unable to restart the computer in Safe Mode. Everytime I tried to load it up it would get so far through and then restart the computer, it appeared to hang on the following file each time SYSTEM32\Drivers\Mup.sys don't know if this helps.

Username "Andrew" - 08/03/2008 13:31:36 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdria.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}
"nameserver"="85.255.113.90" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "tuisc" Value deleted
HKCR\CLSID\{662AB833-28CF-4844-BE63-73C691FE556E}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\system32\dmukb.exe 60503 03/08/2004

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

~~~~~ Other
C:\WINDOWS\Temp\kdria.ren 84480 13/06/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"SoundMan"="SOUNDMAN.EXE"
"farstone"=""
"RestoreIT!"="\"C:\\Program Files\\Phoenix Technologies\\cME\\RPro\\ XP\\VBPTASK.EXE\" VBStart"
"Guard"="\"C:\\Program Files\\Phoenix Technologies\\cME\\Guard\\Guard.exe\" /background"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"EPSON Stylus Photo R240 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAHE.EXE /P30 \"EPSON Stylus Photo R240 Series\" /O6 \"USB001\" /M \"Stylus Photo R240\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"70160a15"="rundll32.exe \"C:\\WINDOWS\\system32\\bgghetei.dll\",b"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"BM73253989"="Rundll32.exe \"C:\\WINDOWS\\system32\\htxtidlb.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

And HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41:59, on 08/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\PhnxCDSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [70160a15] rundll32.exe "C:\WINDOWS\system32\bgghetei.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM73253989] Rundll32.exe "C:\WINDOWS\system32\htxtidlb.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

--
End of file - 7869 bytes

[pskelley]

We need to run the clean function with Smitfraudfix, look at these instructions:
http://spyware-free.us/tutorials/safemode/
to be positive you are following the correct proceedure for entering safe mode. If you are and still can't run Smitfraudfix in safe mode, please run the instructions for Smitraudfix in post #6 in normal mode and post the C:\rapport.txt.
We still have a Vundo infection to deal with.

Thanks

[robbie2527]

I tried to get into Safe Mode again having read your instructions however still got the same problem. So ran Smitfraud fix in normal mode, rapport attached:

SmitFraudFix v2.300

Scan done at 16:26:20.92, 08/03/2008
Run from C:\Documents and Settings\Andrew\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\Andrew\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Helper\ Deleted
C:\Program Files\VirusHeat 3.9\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA PCI 10/100Mb Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DE6284C-238A-4469-AB7D-51A32CBA94FC}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D1B22B14-9C23-4782-8897-FFD3A4D08BA3}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[pskelley]

Please post a new HJT log, I need to see the log created after Smitraudfix was run.

Thanks