Help with Smitfraud and ??

K

kenbeuken

New member
Been having alot of trouble with this. Spent abou 24 hours now working on it and have not got anywhere. Here is a HJT log. I also am having trouble accessing some websites on the computer in question (such as Combofix) Dont know what that has to do with this.

Logfile of HijackThis v1.99.1
Scan saved at 12:48:37 PM, on 7/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\System32\drvsag.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\ylcsrdpn.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
HI

Please rename the hijackthis.exe file to problems.exe then run it again & post a new log...

steam
 
Was just doing that when you posted. I am having to try to email logs to a different computer because the problem one cant seem to find this url for some reason, and it is taking some time. Also, I have been trying to run an online virus scan, but am not getting anywhere. Here is the new log.

Logfile of HijackThis v1.99.1
Scan saved at 1:52:36 PM, on 7/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D154ED9-A44E-8595-1A64-888DB126879F} - C:\WINNT\System32\ecko.dll
O2 - BHO: (no name) - {1FE1E84C-157C-4752-AFFE-9649A0B34B6C} - C:\WINNT\System32\vtsqr.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\System32\yayvstt.dll
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
- Show quoted text -

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\System32\drvsag.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\ylcsrdpn.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll

O20 - Winlogon Notify: vtsqr - C:\WINNT\System32\vtsqr.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O20 - Winlogon Notify: yayvstt - C:\WINNT\SYSTEM32\yayvstt.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
I have run Spybot 4 or 5 times, and deleted some files that seemed malicious and am getting much better results. The only problem spybot found this last time was Virtumonde and it said it was able to fix it. HOwever, I did just get one pop up. I have not restarted the cmoputer because I read that that may reignite the whole problem. Also, I have not tried RUnning IE because that seemed to casue issues also. I will wait for someone to respond before doing anything else.

Am I doint everything correct here? Don't want to sound unhappy or like Im impatient. I just see other people getting answers, while some are not. Just not sure how this works.

I will post a new HJT log since I hae changed some stuff.
 
Hi

kenbeuken said:
Am I doint everything correct here? Don't want to sound unhappy or like Im impatient. I just see other people getting answers, while some are not. Just not sure how this works.
Click to expand...

I'm afraid I can only answer when I am on-line ... I'm probably in a different timezone to you...


your Running processes: are very slim .. are you running hijackthis from safemode ? .. if you are, then we need to see it run from normal made, so that we can see what is actually running...

You have several different infections ...

kenbeuken said:
Spent abou 24 hours now working on it and have not got anywhere
Click to expand...

What programs have you run, apart from spybot ?

---
Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

THEN...

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

Keep running vundofix until it gives you the message "no infected files were found"

steam

Please remember to post :-

1. C:\rapport.txt file
2. C:\vundofix.txt
3. a new HiJackThis log (taken after running vundofix)

steam
 
Thank you for the reply. The problem I seem to be having is that the bug I have seems to know all of the URL's for fixing my problem and have thme blocked. I try to go to the smitfraud fix site, and it just says it is unable to connect to that site. Same is true of some other sites I tried to connect to yesterday (Combofix). ANy suggestions?
 
I was able to get the smitfraud tool working the old fashioned way. (Floppy Disk) Here is the Rapport log:

SmitFraudFix v2.207

Scan done at 14:41:41.78, Mon 07/30/2007
Run from C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\lsltfyvd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINNT\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\ld???.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken\Application Data

C:\WINNT\Profiles\Ken\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows NT\\rtenefs.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="file:///C:/WINNT/Profiles/Ken/LOCALS~1/Temp/msohtml1/03/clip_image001.gif"
"SubscribedURL"="file:///C:/WINNT/Profiles/Ken/LOCALS~1/Temp/msohtml1/03/clip_image001.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\winnt\\system32\\ldcore.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 194.54.x.x detected !

Description: Intel(R) PRO/100 VM Network Connection
DNS Server Search Order: 194.54.90.226

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Hi

Combofix is another program I will be getting you to run...

Please post the contents of your HOSTS file...

C:\WINDOWS\system32\drivers\etc\HOSTS

Open the file in notepad and copy & paste the contents in your next thread...

Also try to run this ( it will at least remove 2 of the active vundo trojans)

1. Please download VirtumundoBegone, and save it to your desktop.

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

2. Double-click on VirtumundoBeGone.exe and follow the instructions.

Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

3. When the process finishes, reboot.

4. Post the contents of the VBG.TXT file, which you will find on your desktop

steam
 
VundoFix Log:

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:57:10 PM 7/30/2007

Listing files found while scanning....

C:\WINNT\System32\rqstv.bak1
C:\WINNT\System32\rqstv.bak2
C:\WINNT\System32\rqstv.ini
C:\WINNT\System32\vtsqr.dll

Beginning removal...

Attempting to delete C:\WINNT\System32\rqstv.bak1
C:\WINNT\System32\rqstv.bak1 Has been deleted!

Attempting to delete C:\WINNT\System32\rqstv.bak2
C:\WINNT\System32\rqstv.bak2 Has been deleted!

Attempting to delete C:\WINNT\System32\rqstv.ini
C:\WINNT\System32\rqstv.ini Has been deleted!

Attempting to delete C:\WINNT\System32\vtsqr.dll
C:\WINNT\System32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
New HJT Log: (yeah, the last one was from safemode)

Logfile of HijackThis v1.99.1
Scan saved at 3:05:52 PM, on 7/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\??curity\?explore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\System32\yayvstt.dll
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O20 - Winlogon Notify: yayvstt - C:\WINNT\SYSTEM32\yayvstt.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
HI

I've just seen your last post...

1. Reboot into >>>safe mode
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steam
 
OK... WE're both posting at the same time...

follow the instructions in post #12 RE: smitfraudfix

& post #9 RE: VirtumundoBegone
 
Here is the new Rapport.txt. That is very interesting about the process kil...

SmitFraudFix v2.207

Scan done at 15:16:19.76, Mon 07/30/2007
Run from C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\ld???.tmp Deleted
C:\WINNT\Profiles\Ken\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer=205.188.146.145
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 
I cannot get the HOsts file to open. It says " C:\WINNT\system32\drivers\etc\HOSTS is not a valid WIN32 application "

Here is the VBG log:

[07/30/2007, 15:31:20] - VirtumundoBeGone v1.5 ( "C:\WINNT\Profiles\Ken\Desktop\VirtumundoBeGone.exe" )
[07/30/2007, 15:31:28] - Detected System Information:
[07/30/2007, 15:31:28] - Windows Version: 5.1.2600,
[07/30/2007, 15:31:28] - Current Username: Ken (Admin)
[07/30/2007, 15:31:28] - Windows is in NORMAL mode.
[07/30/2007, 15:31:28] - Searching for Browser Helper Objects:
[07/30/2007, 15:31:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:28] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:28] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:28] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:28] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:29] - BHO 4: {3964D8D6-86D0-493A-B460-A805B5401114} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\yayvstt
[07/30/2007, 15:31:29] - Found: HKLM\...\Winlogon\Notify\yayvstt - This is probably Virtumundo.
[07/30/2007, 15:31:29] - Assigning {3964D8D6-86D0-493A-B460-A805B5401114} MSEvents Object
[07/30/2007, 15:31:29] - BHO list has been changed! Starting over...
[07/30/2007, 15:31:29] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:29] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:29] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:29] - BHO 4: {3964D8D6-86D0-493A-B460-A805B5401114} (MSEvents Object)
[07/30/2007, 15:31:29] - ALERT: Found MSEvents Object!
[07/30/2007, 15:31:29] - BHO 5: {467003B0-84EB-49B2-A984-1EE783548311} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mesowifym83122
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mesowifym83122, continuing.
[07/30/2007, 15:31:29] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/30/2007, 15:31:29] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/30/2007, 15:31:29] - BHO 8: {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mesowifym4
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mesowifym4, continuing.
[07/30/2007, 15:31:29] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:31:29] - BHO 10: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:31:29] - BHO 11: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mnuoqcta
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mnuoqcta, continuing.
[07/30/2007, 15:31:29] - BHO 12: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
[07/30/2007, 15:31:29] - Finished Searching Browser Helper Objects
[07/30/2007, 15:31:29] - *** Detected MSEvents Object
[07/30/2007, 15:31:29] - Trying to remove MSEvents Object...
[07/30/2007, 15:31:30] - Terminating Process: IEXPLORE.EXE
[07/30/2007, 15:31:30] - Terminating Process: RUNDLL32.EXE
[07/30/2007, 15:31:31] - Disabling Automatic Shell Restart
[07/30/2007, 15:31:31] - Terminating Process: EXPLORER.EXE
[07/30/2007, 15:31:31] - Suspending the NT Session Manager System Service
[07/30/2007, 15:31:31] - Terminating Windows NT Logon/Logoff Manager
[07/30/2007, 15:31:35] - Re-enabling Automatic Shell Restart
[07/30/2007, 15:31:35] - File to disable: C:\WINNT\System32\yayvstt.dll
[07/30/2007, 15:31:35] - Renaming C:\WINNT\System32\yayvstt.dll -> C:\WINNT\System32\yayvstt.dll.vir
[07/30/2007, 15:31:36] - File successfully renamed!
[07/30/2007, 15:31:36] - Removing HKLM\...\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Removing HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Adding Kill Bit for ActiveX for GUID: {3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Deleting ATLEvents/MSEvents Registry entries
[07/30/2007, 15:31:36] - Removing HKLM\...\Winlogon\Notify\yayvstt
[07/30/2007, 15:31:36] - Searching for Browser Helper Objects:
[07/30/2007, 15:31:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:36] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:36] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:36] - BHO 4: {467003B0-84EB-49B2-A984-1EE783548311} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mesowifym83122
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mesowifym83122, continuing.
[07/30/2007, 15:31:36] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/30/2007, 15:31:36] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/30/2007, 15:31:36] - BHO 7: {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mesowifym4
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mesowifym4, continuing.
[07/30/2007, 15:31:36] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:31:36] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:31:36] - BHO 10: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mnuoqcta
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mnuoqcta, continuing.
[07/30/2007, 15:31:36] - BHO 11: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
[07/30/2007, 15:31:36] - Finished Searching Browser Helper Objects
[07/30/2007, 15:31:36] - Finishing up...
[07/30/2007, 15:31:36] - A restart is needed.
[07/30/2007, 15:31:49] - Attempting to Restart via STOP error (Blue Screen!)
 
New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:42 PM, on 7/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe
C:\WINNT\system32\??curity\?explore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
One thing I keep noticing is a popup from the tool bar by the clock saying that WIndows has detected spyware and suggests I download software to fix it. It is there with a red circle with white "X" icon. It also keep wanting me to instal somekind of ActiveX controller which I cancel. Also I still cannot get on sites like this one from that computer. The malware is killing the process.
 
HI

You still have a lot of malware running ... if I'd asked you to run 10 programs at once, it would have been overwhelming & we would have both got lost ... but we are getting rid if it, a bit at a time...

I want you to run 2 more programs please ... get the floppy ready...

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Once in safemode - Start HijackThis, close all open windows leaving only HijackThis running. Place a check against :-

O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)

O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll

O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow

O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe

O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe

O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll

O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe

O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe


5. Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked.

6. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

-------------------
Then please try to run Combofix :-

Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

steam

It's getting late & I have to be up early in the morning, so I'll check your new logs tomorrow...
 
IM having trouble getting SD installed. It looks like the kill function is working on that program now. Had it on the desktop, but when I double clicked it, it just disappeared.??
 
You must log in or register to reply here.
Back
Top