cmdservice and SmitFraud-C. cant be removed from Spybot! HELP!

[leemwoo]

When I run windows, there's some hidden program running in the background, so for like the first 10 minutes after windows is loaded, I can't use any program or folder. Ran spybot and this 3 files, I can't deleted.

I've searched out this forum from google with regards to these two problems and it seems to be quite dangerous. Can someone help me? I will post my HJT log. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:36:46 AM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Matlab6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netspace Usage Grabber\NetspaceGrab.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BearShare\BearShare.exe
C:\Documents and Settings\lim wu\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: (no name) - {A1AA9DF0-0D69-0697-1401-57F07DBD6094} - C:\WINDOWS\system32\alujwgjl.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Netspace Usage Grabber.lnk = C:\Program Files\Netspace Usage Grabber\NetspaceGrab.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: AutoCAD Startup Accelerator.lnk.disabled
O4 - Global Startup: iTouch Configuration.lnk = C:\Program Files\Logitech\iTouch\iTouchcf.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Matlab6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

[pskelley]

Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.

1) You are running two antivirus programs at the same time: Grisoft\AVGFRE and NOD32 Antivirus System, this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT...00031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn...120300087.html

2) I suggest you uninstall this program: BearShare see this information: http://www.castlecops.com/s388-bearshare_exe.html

3) We may be dealing with a Smitfraud infection, this tool will tell us: Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

4) Complete the above instructions and post the results of SmitfraudFix "Search" and a new HJT log. Add any comments you think will help.

Thanks

[leemwoo]

hi pskelley,

Scan performed at: 10/1/2006 3:05:30 AM
Scanning Log
NOD32 version 1.1784 (20060929) NT
Operating memory - is OK

Date: 1.10.2006 Time: 03:05:42
Scanned disks, folders and files: C:; D:; E:; F:; G:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\lim wu\Desktop\SmitfraudFix.zip »ZIP »SmitfraudFix/Process.exe - Win32/PrcView application
C:\Documents and Settings\lim wu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\lim wu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\lim wu\Local Settings\Application Data\Mozilla\Firefox\Profiles\b5j0osw3.default\Cache\633285D9d01 »ZIP »SmitfraudFix/Process.exe - Win32/PrcView application
C:\Documents and Settings\lim wu\Local Settings\Temp\sa54.exe »NSIS »Spy-Quake2.exe - Win32/Adware.SpywareQuake application
C:\Documents and Settings\lim wu\Local Settings\Temp\Temporary Internet Files\Content.IE5\816FG1Y7\anti4[1].exe - a variant of Win32/TrojanDownloader.ConHook trojan
C:\Documents and Settings\lim wu\Local Settings\Temporary Internet Files\Content.IE5\OLKXINWH\SysProtectScannerInstall[1].cab »CAB »USYP_0002_N91M1708NetInstaller.exe - probably a variant of Win32/Adware.WinFixer application
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{2618FA41-399B-44D1-A192-C9D41E9CBA3A}.bin - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{FD44E2C8-829D-45F2-A926-8604BC91FBF8}.bin - error opening (File locked) [4]
C:\WINDOWS\system32\hggfedd.dll - a variant of Win32/TrojanDownloader.ConHook trojan
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
D:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
E:\My Stuff\aawsepersonal.exe »WISE »Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
E:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
E:\System Volume Information\_restore{FA296778-132F-449F-868F-57E9E92378DA}\RP62\A0003885.EXE »WISE »fsg.exe - Win32/Adware.Gator.Trickler application
F:\RECYCLER\NPROTECT\00000000.exe - error opening (Access denied) [4]
F:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
G:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
Number of scanned files: 378815
Number of threats found: 7
Number of files cleaned: 2
Number of active threats: 5
Time of completion: 10:01:17 Total scanning time: 24935 sec (06:55:35)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

That's my scan log. The ones I put in bold are the ones that couldn't be removed.

Also, the process.exe file in the SmitFraudFix was quarantined by NOD32. I can't run the cmd file without it. How do i fix that? Tried to turn off NOD32 and unzip the files but process.exe won't turn up.

I have another problem I forgot to mention, is that whenever I run my browser (ie Firefox), a pop up comes up, and it is some anti virus ad, Win Anti Virus 2006, I think. Bloody irritating.

By the way, I deleted bearshare.

Just need to run SmitFraudFix. =*(

[pskelley]

Thanks for returning that information. You probably have a Vundo infection, and we will get to it as soon as possible. I need to see the information I reqested before I can proceed.

4) Complete the above instructions and post the results of SmitfraudFix "Search" and a new HJT log. Add any comments you think will help.

Also, the process.exe file in the SmitFraudFix was quarantined by NOD32. I can't run the cmd file without it. How do i fix that? Tried to turn off NOD32 and unzip the files but process.exe won't turn up.

We need to run that program, turn of your antivirus program when you download it, follow the instructions for Smitfraudfix, and then turn your antivirus program back on. If you have to, contact the tech folks at NOD32 and ask them how to do it. If you are infected, we need the tool to clean the infection also. Seems NOD32 is not going to clean it for you!!

Thanks

[leemwoo]

Uninstalled NOD32 and got SmitFraudFix to work! =) Here's the log.

SmitFraudFix v2.103

Scan done at 22:13:28.65, Sun 10/01/2006
Run from D:\sff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lim wu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lim wu\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LIMWU~1\FAVORI~1

C:\DOCUME~1\LIMWU~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[leemwoo]

New HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 10:15:25 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Matlab6p1\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Netspace Usage Grabber\NetspaceGrab.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: (no name) - {A1AA9DF0-0D69-0697-1401-57F07DBD6094} - C:\WINDOWS\system32\alujwgjl.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Netspace Usage Grabber.lnk = C:\Program Files\Netspace Usage Grabber\NetspaceGrab.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: AutoCAD Startup Accelerator.lnk.disabled
O4 - Global Startup: iTouch Configuration.lnk = C:\Program Files\Logitech\iTouch\iTouchcf.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{1D48A0CC-D4A2-4224-BA75-CE0680BB4B0E}: NameServer = 192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\LIMWU~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Matlab6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

[pskelley]

OK, good job you can see the tool found the infection. Follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Just do not run the "search" function again, you know it is there. Complete all of the rest of the instructions.

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

I want you to return here: C:\HijackThis\HijackThis.exe before you post the next HJT log. Rename HJT to say MyFix.exe or something similiar, then restart the computer and scan for the new log. If the Vundo infection is there you will be able to see it in BHO's and in the 020 Winlogon.

Thanks...pskelley
Safer Networking Forums

If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/

[leemwoo]

i seem to have a problem running safe mode on my computer. somehow when i login, the screen is just black, and this pop up comes up, asking for System Restore, and it goes away, and after that, nothing comes up. Just a black screen, with the 4 corners written safe mode and Microsoft Windows XP on the top.

I've waited for quite some time and I can't seem to get into my computer in safe mode. =(

[leemwoo]

is it possible to do all those things without safe mode?

[pskelley]

The tools will do a much better job of cleaning your computer if they are run in safe mode, when the junk is not running. Here are more instructions for accessing safe mode:
http://www.bleepingcomputer.com/tuto...utorial61.html
http://www.microsoft.com/resources/d....mspx?mfr=true

This is your computer's diagnostic mode, and you should be able to access it anytime you need to. I do all of my maintenance in safe mode. If you absloutely can not boot to safe mode once you have reviewed the information I have just posted, then try it in normal mode to see what happens.

Thanks