Critical System Errors!

[DarkeN]

Also, I get a RUNDLL message when I load up Windows that says: "Error loading C:\WINDOWS\system32\drvab.dll The specified module could not be found."

I'm sure this is just a product of us tearing out the bad stuff from my system, and what is left is searching desperately for itself, but I figured I'd mention it just in case.

Thanks

Here's the log



Jacob R - 06-11-30 23:18:36.48 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jacob R\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\issearch.exe
C:\Program Files\windows
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{143BECB9-07CE-1033-0719-040403300001}
C:\Program Files\Common Files\{343BECB9-07CE-1033-0719-040403300001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Jacob R\Application Data\YSTEM~1
C:\QooBox\Purity\Documents and Settings\Jacob R\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Jacob R\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Jacob R\My Documents\CROSOF~1\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Jacob R\My Documents\CROSOF~1\dvdplay.exe
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\WNSXS~1\?ti2evxx.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-30 to 2006-11-30 ))))))))))))))))))))))))))))))))))


2006-11-29 20:27 56,320 --a------ C:\WINDOWS\system32\vgxhlxsk.dll
2006-11-29 10:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-29 10:21 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-29 10:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-29 10:21 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-29 09:47 <DIR> d-------- C:\VundoFix Backups
2006-11-28 21:55 <DIR> d-------- C:\Documents and Settings\Jacob R\Application Data\dvdcss
2006-11-27 19:41 88,340 --a------ C:\WINDOWS\system32\oglarloe.exe
2006-11-27 19:41 42,516 --a------ C:\WINDOWS\system32\iwddsnnf.dll
2006-11-27 19:41 <DIR> d-a------ C:\Program Files\VSAdd-in
2006-11-21 23:21 40,973 --------- C:\WINDOWS\system32\wvustrr.dll
2006-11-21 22:10 2 --a------ C:\WINDOWS\system32\wcpcc.exe
2006-11-21 21:44 <DIR> d-------- C:\WINDOWS\wkqk
2006-11-21 21:44 <DIR> d-------- C:\Program Files\Common Files\wkqk
2006-11-21 21:14 77,824 --a------ C:\WINDOWS\system32\fmrmhc.dll
2006-11-21 21:06 <DIR> d-------- C:\Program Files\Photoshop
2006-11-18 00:03 <DIR> d-------- C:\Program Files\Delta
2006-11-17 20:45 <DIR> d-------- C:\Documents and Settings\Jacob R\Application Data\fltk.org
2006-11-07 22:33 <DIR> d-------- C:\Program Files\Burning Crusade Closed Beta


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-30 23:20 -------- d-------- C:\Program Files\PeerGuardian2
2006-11-30 23:19 -------- d-------- C:\Program Files\Common Files
2006-11-30 21:51 -------- d-------- C:\Documents and Settings\Jacob R\Application Data\Hamachi
2006-11-30 14:35 -------- d-------- C:\Program Files\World of Warcraft
2006-11-30 14:31 -------- d-------- C:\Program Files\Steam
2006-11-29 09:13 -------- d-------- C:\Documents and Settings\Jacob R\Application Data\Azureus
2006-11-27 19:26 -------- d-------- C:\Program Files\ewido anti-malware
2006-11-22 00:06 -------- d-------- C:\Program Files\DAEMON Tools
2006-11-21 21:31 -------- d-------- C:\Program Files\Symantec
2006-11-21 07:22 -------- d-------- C:\Program Files\Trillian
2006-11-09 18:36 -------- d-------- C:\Documents and Settings\Jacob R\Application Data\Ventrilo
2006-11-09 16:24 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-07 22:44 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-11-07 22:31 -------- d-------- C:\Program Files\AOL
2006-11-07 22:26 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-02 16:09 -------- d-------- C:\Program Files\Ventrilo
2006-10-18 22:42 -------- d-------- C:\Program Files\Google
2006-10-16 10:58 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-09 10:54 -------- d-------- C:\Documents and Settings\Jacob R\Application Data\Real
2006-10-09 10:54 -------- d-------- C:\Documents and Settings\Jacob R\Application Data\Media Player Classic
2006-10-09 10:41 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-10-03 20:05 -------- d-------- C:\Program Files\WebCamXP
2006-10-03 15:03 15440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-28 12:05 5886725 --a------ C:\WINDOWS\PP.exe
2006-09-28 12:05 28672 --a------ C:\WINDOWS\system32\LicenceWM.exe
2006-09-25 14:43 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 22:14 593938 --a------ C:\WINDOWS\system32\x264vfw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Bandwidth Monitor Pro"="\"C:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe\" /minimized"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Uble"="\"C:\\DOCUME~1\\JACOBR~1\\MYDOCU~1\\CROSOF~1\\dvdplay.exe\" -vt ndrv"
"Okkuv"="C:\\Program Files\\W?nSxS\\?ti2evxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"xload"="\"C:\\WINDOWS\\xload.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CTHelper"="CTHELPER.EXE"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"WinVNC"="\"C:\\Program Files\\UltraVNC\\winvnc.exe\" -servicehelper"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvzab.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c2,01,00,00,00,00,00,00,3e,03,00,00,c4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,d2,03,00,00,23,00,00,00,1c,01,00,00,27,01,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{0bad5052-665d-40d4-a9bd-a2891eaafb42}"="boucicault"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"boucicault"="{0bad5052-665d-40d4-a9bd-a2891eaafb42}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mschedsvc"=dword:00000003
"winvnc"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrge32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Jacob R.job

Completion time: 06-11-30 23:22:31.79
C:\ComboFix.txt ... 06-11-30 23:22

[Mr_JAk3]

Hi again, we'll continue

Please remove the old version of Ewido security suite via Control Panel -> Add/Remove programs.
We'll install the latest version, AVG Anti-Spyware.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Uncheck "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

VSAdd-in
VSToolbar

and any other programs you didn't install or don't recognize - if your not sure please ask first

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: (no name) - {FCC827B3-EE21-C4F8-2D00-CB891C593490} - C:\WINDOWS\system32\ardpf.dll (file missing)
R3 - URLSearchHook: (no name) - {41E6794C-ECD8-CB00-D3FF-C46932AA8DC1} - C:\WINDOWS\system32\jieqb.dll (file missing)
R3 - URLSearchHook: (no name) - {4228A7DD-334D-15CC-13E3-4591FDD78BC5} - C:\WINDOWS\system32\vgxhlxsk.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\iwddsnnf.dll
O2 - BHO: (no name) - {41E6794C-ECD8-CB00-D3FF-C46932AA8DC1} - C:\WINDOWS\system32\jieqb.dll (file missing)
O2 - BHO: (no name) - {4228A7DD-334D-15CC-13E3-4591FDD78BC5} - C:\WINDOWS\system32\vgxhlxsk.dll
O2 - BHO: (no name) - {5E408ACF-E76A-4FB7-A57C-13B250C9EEEC} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {A8D1B5FE-66D4-4C0E-9C36-826D13B32414} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {FCC827B3-EE21-C4F8-2D00-CB891C593490} - C:\WINDOWS\system32\ardpf.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [vlmcaf] C:\WINDOWS\system32\wtikah.exe reg_run
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzab.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Uble] "C:\DOCUME~1\JACOBR~1\MYDOCU~1\CROSOF~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Okkuv] C:\Program Files\W?nSxS\?ti2evxx.exe
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\vgxhlxsk.dll
C:\WINDOWS\system32\oglarloe.exe
C:\WINDOWS\system32\iwddsnnf.dll
C:\WINDOWS\system32\wvustrr.dll
C:\WINDOWS\system32\wcpcc.exe
C:\WINDOWS\system32\fmrmhc.dll
C:\WINDOWS\xload.exe
C:\WINDOWS\system32\wtikah.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\wkqk
C:\Program Files\Common Files\wkqk
C:\Program Files\VSAdd-in
C:\Program Files\VSToolbar
C:\Program Files\ipwins

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Restart to the sfae mode again.

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
  • Under How to act?
    
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    
    • All checkboxes should be ticked.
  • Under Reports:
    
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- contents of C:\Rapport.txt

[DarkeN]

Logfile of HijackThis v1.99.1
Scan saved at 12:01, on 06-12-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\program files\steam\steam.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Jacob R\Desktop\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:57 06-12-01

+ Scan result:



C:\!KillBox\wvustrr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\wcpcc.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\RGFya2VO\l3IVuZpi.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

[DarkeN]

SmitFraudFix v2.125

Scan done at 10:50:23.59, 06-12-01
Run from C:\Documents and Settings\Jacob R\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[DarkeN]

You are so incredibly thorough, I very much appreciate your help.

[Mr_JAk3]

Hi again, it is looking good now
The computer is running fine ?

Remove the following folder:
C:\WINDOWS\RGFya2VO

Then fix the fllowing leftover with HijackThis:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Reboot and scan again, the entry should be gone.

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.
You can remove the following backup folders, C:\!KillBox
C:\Vundofix backups

Then you should update your Java to the latest version (5.0 update 10)

• Start
• Control Panel
• Add/Remove Programs
• Delete the old Java, J2SE Runtime Environment 5.0 Update 6
• Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Install it

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

[DarkeN]

Works perfectly! Is there anywhere where I can give you a good review?

[Mr_JAk3]

That's great news and you're very welcome

Works perfectly!

I think that is a great review, thanks

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help