Help with Smitfraud and ??

OK, I got SDFIX to install by running it from safe mode. Here is the log for SDFIX:

SDFix: Version 1.94

Run by Ken on Tue 07/31/2007 at 02:04 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService

ImagePath:
C:\WINNT\System32\qwerty12.exe /service

DomainService - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\D.EXE - Deleted
C:\142553~1 - Deleted
C:\TEMP\stdrun1.exe - Deleted
C:\TEMP\stdrun3.exe - Deleted
C:\TEMP\stdrun4.exe - Deleted
C:\TEMP\stdrun5.exe - Deleted
C:\TEMP\stdrun9.exe - Deleted
C:\TEMP\stdrun6.exe~ - Deleted
C:\TEMP\stdrun8.exe~ - Deleted
C:\WINNT\Profiles\Ken\Application Data\Install.dat - Deleted
C:\WINNT\Profiles\Ken\Application Data\.rdr.ini - Deleted
C:\WINNT\b122.exe - Deleted
C:\WINNT\csrss.exe - Deleted
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\WINNT\system32\ldinfo.ldr - Deleted
C:\WINNT\system32\qwerty12.exe - Deleted
C:\WINNT\tcb.pmw - Deleted
C:\WINNT\wr.txt - Deleted


Folder C:\WINNT\system32\b06FdUe - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\System32\\qwerty12.exe"="C:\\WINNT\\System32\\qwer"
"C:\\TEMP\\win1F9.tmp.exe"="C:\\TEMP\\win1F9.tmp.exe:*:Enabled:win1F9.tmp"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\WINNT\system32\??curity\?explore.exe
C:\WINNT\system32\1E9308E591.sys
C:\WINNT\system32\KGyGaAvL.sys
C:\WINNT\Profiles\Ken\My Documents\~WRL3016.tmp
C:\WINNT\system32\BIT84.tmp
C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG

Finished
 
ComboFix Log:

ComboFix 07-07-30.2 - "Ken" 2007-07-31 14:24:42.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\awtqqnn.dll
C:\WINNT\system32\efebx.dll
C:\WINNT\system32\khfef.dll
C:\WINNT\system32\ljjkjii.dll
C:\WINNT\system32\nnnmjij.dll
C:\WINNT\system32\nnnmlii.dll
C:\WINNT\system32\nnnnmkj.dll
C:\WINNT\system32\opnonml.dll
C:\WINNT\system32\vturpmk.dll
C:\WINNT\system32\yaywvvw.dll
C:\WINNT\system32\lsltfyvd.exe
C:\WINNT\system32\xbefe.bak1
C:\WINNT\system32\xbefe.ini
C:\WINNT\system32\fefhk.bak1
C:\WINNT\system32\fefhk.ini
C:\WINNT\system32\urqnkif.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\spamblockerutility
C:\Program Files\spamblockerutility\bin\4.8.4.0\SpamBlockerUtility.exe
C:\Program Files\Toshiba\mesowifym4.dll
C:\Program Files\Toshiba\mesowifym83122.dll
C:\Program Files\ystem~1
C:\WINNT\dls0523pmw.exe
C:\WINNT\hkmheep.exe
C:\WINNT\Profiles\ADMINI~1\APPLIC~1\install.dat
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\WINNT\Profiles\Ken\APPLIC~1.\winantispyware 2007
C:\WINNT\Profiles\Ken\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\WINNT\Profiles\Ken\MYDOCU~1.\tsks~1
C:\WINNT\rau001978.exe
C:\WINNT\system32\b02FdUe
C:\WINNT\system32\b02FdUe\b02FdUe1065.exe
C:\WINNT\system32\config\systemprofile\application data\.rdr.ini
C:\WINNT\system32\curity~1
C:\WINNT\system32\curity~1\?explore.exe
C:\WINNT\system32\drivers\fopn.sys
C:\WINNT\system32\fllhrxun.exe
C:\WINNT\system32\G1
C:\WINNT\system32\G1\kmhp83122.exe
C:\WINNT\system32\G11
C:\WINNT\system32\G11\z553.exe
C:\WINNT\system32\G3
C:\WINNT\system32\G3\wr725.exe
C:\WINNT\system32\G7
C:\WINNT\system32\rxpqxkpr.exe
C:\WINNT\system32\win
C:\WINNT\system32\winnb58.dll
C:\WINNT\system32\wnsintisv32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:19 16,384 --a----t- C:\TEMP\Perflib_Perfdata_62c.dat
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 15:57 93,696 --a------ C:\WINNT\system32\drvjax.dll
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-30 02:47 126,016 --a------ C:\WINNT\system32\wuhrtxmw.dll
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 14:59 93,696 --a------ C:\WINNT\system32\drvtop.dll
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-29 02:58 126,016 --a------ C:\WINNT\system32\ylcsrdpn.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 23:15 93,696 --a------ C:\WINNT\system32\drvsag.dll
2007-07-28 21:38 93,696 --a------ C:\WINNT\system32\drvsun.dll
2007-07-28 17:21 9,769 --a------ C:\WINNT\tfjjp0578.exe
2007-07-28 17:21 19,968 --a------ C:\WINNT\system32\winilc32.dll
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
2007-06-25 08:54 53,248 --a------ C:\WINNT\uni_eh44.exe
2007-06-25 08:53 53,248 --a------ C:\WINNT\uninst1014.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-29 19:08 --------- d-a------ C:\Program Files\Windows NT
2007-07-28 17:01 --------- d-------- C:\Program Files\MyWay
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys


Contents of the 'Scheduled Tasks' folder
2007-07-31 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 14:33:57
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31 14:35:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 14:34

--- E O F ---
 
New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 14:42, on 7/31/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
THings seem to be a lot better for now, but Ill wait for an opinion from you to know whats going on. I did just run spybot again and found the following:

AdRevolver
Advertising.com (4 Entries)
BlueStreak
DoubleClick
GoClick
MedialPlex
WebTrends live
Zedo

No Virtumonde or Smitfraud this time (which is good) but Ive run spybot before and had it not find those, only to have them come back. I did not fix these problems yet and will wait for you to tell me to do so, or to have some other way of attacking what is left.

Thanks for all your help so far!!
 
Would all of this affect my Outlook? Seems I can look at incoming mail, but can't get any to go out... Havn't changed anything else.
 
HI

Looking a lot better

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\WINNT\system32\drvjax.dll
C:\WINNT\system32\wuhrtxmw.dll
C:\WINNT\system32\drvtop.dll
C:\WINNT\system32\ylcsrdpn.dll
C:\WINNT\system32\drvsag.dll
C:\WINNT\system32\drvsun.dll
C:\WINNT\tfjjp0578.exe
C:\WINNT\system32\winilc32.dll

Folder::
C:\TEMP

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

-
They're just cookies which Spybot found ... you can run spybot again & let it delete them...

-
Then do this :-

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

Don't forget to post the combofix log

steam
 
Last edited:
NewComboFix log:

ComboFix 07-07-30.2 - "Ken" 2007-08-02 11:47:22.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\TEMP
C:\WINNT\system32\drvjax.dll
C:\WINNT\system32\drvsag.dll
C:\WINNT\system32\drvsun.dll
C:\WINNT\system32\drvtop.dll
C:\WINNT\system32\winilc32.dll
C:\WINNT\system32\wuhrtxmw.dll
C:\WINNT\system32\ylcsrdpn.dll
C:\WINNT\tfjjp0578.exe


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-29 19:08 --------- d-a------ C:\Program Files\Windows NT
2007-07-28 17:01 --------- d-------- C:\Program Files\MyWay
2007-06-25 08:54 53248 --a------ C:\WINNT\uni_eh44.exe
2007-06-25 08:53 53248 --a------ C:\WINNT\uninst1014.exe
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-02 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 11:49:54
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 11:51:30
C:\ComboFix-quarantined-files.txt ... 2007-08-02 11:50
C:\ComboFix2.txt ... 2007-07-31 14:35

--- E O F ---
 
New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04, on 8/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\explorer.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
Seems pretty good. I am having trouble with opening certain files and functions in Windows. It seems that the computer cannot find the file "rundll32.exe" I tried to open the add/remove software to see if any of the added stuff like "free Online Dating", "Go To Casino", and "Find Spyware Remover" could be removed from there. Thats when I received the error message.

I also am still having issues sending email from Outlook.

Thanks for all your help once again!
 
HI

I have no idea what is giving you the issues concerning sending email from Outlook... I was hoping removing all the malware would resolve this, If not I'll see what i can come up with...

Go to > Start > Run > type appwiz.cpl & click OK ... does Add/remove programs open ?

Go to C:\WINNT\system32 folder ... do you see a "rundll32.exe" file ?

I tried to open the add/remove software to see if any of the added stuff like "free Online Dating", "Go To Casino", and "Find Spyware Remover" could be removed from there.
Click to expand...

Where are you seeing this ? this is the first you've mentioned it ... I think ?

Run hijackthis ... click Open the Misc tools section

Click open uninstall manager

Click save list

Copy & paste the list in your next post here.

steam
 
WHen I run appwiz.cpl I get an error message. It says appwiz.cpl is not a valid Win32 application.I also do not see it in the system32 folder. In fact, there is a blank spot on the screen where that file should be.

Those 3 programs are showing up on my desktop as shortcuts. They were there before and I deleted them. They stayed away for awhile, but reappeared on one of the last reboots. Should I just delete them? Sorry I did not mention them before. I figured they were just part of the bigger problem.

HEre is the uninstall list:

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AOL Uninstaller (Choose which Products to Remove)
ATI Control Panel
ATI Display Driver
ATI DVD Decoder
ATI Multimedia Center 7.8.0.0
Backgrounds
CCleaner (remove only)
DAO
File System Utilities
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 2.2 - Scanjet 3970 Series
HydraVision
Intel Security Driver
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q832894
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_08
Learn2 Player (Uninstall Only)
Microsoft Office XP Standard
MouseWare 9.01
Mozilla Firefox (2.0.0.6)
Outlook Express Update Q330994
Paltalk
PC Show and Tell Player
Pure Networks Port Magic
QuickTime
RealPlayer Basic
ScanSoft PaperPort Viewer 7.0
Spybot - Search & Destroy 1.4
Tera Term Pro
Toshiba Software Upgrades v2.1
Toshiba TAPM Setup
Toshiba Tbiosdrv Driver
Toshiba VirtualTech
Toshiba VirtualTech Agent
Turbo Lister
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Viewpoint Media Player
WebEx Client
WexTech AnswerWorks
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
WinZip
 
Hi

that uninstall list is what you would see in add/remove programs ... & there's no malware there ...

I want you to run 2 more programs please :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum...

THEN...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

steam
 
Here is the new SDFix log:

SDFix: Version 1.94

Run by Ken on Thu 08/02/2007 at 15:59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\WINNT\system32\1E9308E591.sys
C:\WINNT\system32\KGyGaAvL.sys
C:\WINNT\Profiles\Ken\My Documents\~WRL3016.tmp
C:\WINNT\system32\BIT84.tmp
C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\SAM.tmp.LOG
C:\WINNT\system32\config\SECURITY.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG

Finished

I am running the SUPERAntiSpyware as we speak.

I still cannot go to some website, such as forums.spybot.info. It is still killing that particualr website. Although it did allow me to down load from the SUPERAntiSpyware site. Since I cannot access this site, I am having to still get the logs to a different computer to post them here.

Just giving you symptoms to help with your diagnosis. I will post the next log when it is finished...
 
Well that was rather humbling. 155 threats, many of which were trojans....YIKES!!!

Here is the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/02/2007 at 08:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3277
Trace Rules Database Version: 1288

Scan type : Complete Scan
Total Scan Time : 03:58:01

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 5166
Registry threats detected : 1
File items scanned : 46453
File threats detected : 155

Adware.Tracking Cookie
C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@ads.web.aol[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@zedo[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@mediaplex[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@html[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@revsci[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@questionmarket[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@advertising[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@2o7[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@2o7[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.adworldnetwork[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.as4x.tmcs.ticketmaster[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.as4x.tmcs[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.businessweek[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.specificpop[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@adserving.autotrader[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@atdmt[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@cpvfeed[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ordertracking[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@pointroll[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@questionmarket[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@stats.klsoft[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@tracking[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@trafficmp[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@www.macromedia[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@www.qksrv[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@2o7[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@ads.web.aol[1].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[1].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[2].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[3].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[4].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[5].txt

Adware.HotBar/SpamBlockerUtility (Low Risk)
C:\WINNT\Downloaded Program Files\SpamBlockerUtility.inf

Trojan.WinBo32/Enhance
HKU\S-1-5-21-1333796941-572090573-1985484534-1003\Software\System\sysuid

Adware.MyWay
C:\Program Files\MyWay

Adware.ClickSpring/Outer Info Network
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo\Terms.lnk
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo

Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\RTENEFS.HTML

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TOSHIBA\MESOWIFYM4.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TOSHIBA\MESOWIFYM83122.DLL.VIR

Trojan.Downloader-Gen/BasicMath
C:\QOOBOX\QUARANTINE\C\WINNT\DLS0523PMW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078957.EXE

Adware.ClickSpring
C:\QooBox\Quarantine\C\WINNT\system32\CURITY~1\EXPLOR~1.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076626.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078950.EXE

Trojan.Downloader-DRVSAM
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVJAX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVSAG.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVSUN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVTOP.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076608.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079180.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079182.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079184.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079185.DLL

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\G1\KMHP83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WNSINTISV32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077788.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078940.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078951.EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H7NF66X8\XC60[1].EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XRVVW3QR\XC42[1].EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GX8EH84D\XC60[1].EXE

Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\G11\Z553.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078954.EXE

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\LSLTFYVD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078970.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\NNNMLII.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\OPNONML.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077843.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078965.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078967.DLL

Adware.Mirar/NetNucleus
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WINNB58.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078956.DLL

Trojan.Downloader-LDCore
C:\QOOBOX\QUARANTINE\C\WINNT\TFJJP0578.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079186.EXE
C:\WINNT\PROFILES\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\N07NOGTO\USER9[1].EXE

Adware.RAC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076518.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076641.EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RSKUD5FP\83122[1].EXE

Adware.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076528.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076640.EXE

Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076567.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076568.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076569.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076598.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076600.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076602.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\FIND SPYWARE REMOVER.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\FREE ONLINE DATING.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\GO TO CASINO.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\FIND SPYWARE REMOVER.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\FREE ONLINE DATING.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\GO TO CASINO.LNK

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076590.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076597.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076623.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076625.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077785.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078845.DLL
C:\WINNT\PROFILES\KEN\DESKTOP\HELPME\BACKUPS\BACKUP-20070731-135806-264.DLL

Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076596.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076624.EXE

Trojan.Downloader-NoName
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076605.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077733.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0077878.EXE

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076609.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077736.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077752.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0077881.EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XRVVW3QR\XC23[1].EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GX8EH84D\XC23[1].EXE

Trojan.IERedirector
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078847.DLL
C:\WINNT\PROFILES\KEN\DESKTOP\HELPME\BACKUPS\BACKUP-20070731-135806-917.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078871.EXE

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078944.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078945.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078960.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078963.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078964.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078966.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078968.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078969.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078982.DLL

Adware.ClickSpring/Yazzle
C:\WINNT\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF

Trojan.Downloader-Gen/Mandingo
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H7NF66X8\XC29[1].EXE

Trojan.TagASaurus
C:\WINNT\PROFILES\LOCALSERVICE\DESKTOP\SEARCHUS.EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\SEARCHUS.EXE

Trace.Known Threat Sources
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5M464CKY\anti4[1].exe
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6RP4XMIO\antzom[1].exe
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5M464CKY\x5s34[1].exe
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[5].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\CATWGRHX.htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[6].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[5].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[6].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\anti4[1].exe
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\CAXS6XDF.htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[7].htm
 
Hi
I still cannot go to some website, such as forums.spybot.info. It is still killing that particualr website. Although it did allow me to down load from the SUPERAntiSpyware site. Since I cannot access this site, I am having to still get the logs to a different computer to post them here.

Just giving you symptoms to help with your diagnosis. I will post the next log when it is finished...
Click to expand...

Of course ... keep reminding me what the problems are (& tell me when any are resolved) & anything else you you think I should know, or think I may have forgot ... I know we've got rid of a lot of bad stuff, but you still have several what appear to be unconnected problems ...

RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...

It didn't find that much, but still it got rid if a bit more ...

-
are you able to run any on-line virus scans on the sick computer ?

PandaActive scan ?
TrendMicro houscall ?

If you need info on running these .. let me know ?
-
When you ran Ccleaner ... did you run it on the C:\WINNT\PROFILES\KEN ... profile ?

If so, then can you run it again please on the C:\WINNT\PROFILES\ADMINISTRATOR profile...

-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\WINNT\uni_eh44.exe
C:\WINNT\uninst1014.exe
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Program Files\func.exe

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply ...

steam
 
Last edited:
steamwiz said:
RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...

It didn't find that much, but still it got rid if a bit more ...
Click to expand...

I dont quite follow what you are saying in this statement. Can you clarify?

I have not started any of the work since your last post. I decided to take a day of dealing with it. The PC seems to be working quite well though besides those minor problems. Still cannot access things like Add/Remove Software because of the rundll32.exe file missing. Still cannot access some website because something is killing them. Finally, I can not get email sent out in Outlook, and it now is not able to retrieve it from one of my sources. That is a change and I have done nothing to it.

All 3 of these problems are new since the malware got on the PC. Prior to that, the PC was working great eventhough it is 7 years old and about 5th hand. :eek:

I will get to work on the new list and get back to you. Is is possible to just get a copy of rundll.32.exe of another computer and put it in the correct file?
 
ONe more thing, something is definatly hijacking google in IE. In Firefox it seemsto be ok,but in IE google only finds certian sites that seem like junk and also delivers results in some foreign language.

Panda Active Scan is not supprted in Firefox so I had to try finding it on IE and I got nowhere near the same results.
Actually, now that I am going through them, this seems to happen in a bunch of different search engines.

I was able to get Pandaactive Scan running by Pasting the link found using Firefox and google.

More to come,...
 
Hi

steam said:
Originally Posted by steamwiz
RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...

It didn't find that much, but still it got rid if a bit more ...
Click to expand...
kenbeuken said:
I dont quite follow what you are saying in this statement. Can you clarify?
Click to expand...

What I meant is if you ignore all the entries under :-

cookies

Adware.Tracking Cookie
C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
etc,

these are no biggie...

system restore

C:\SYSTEM VOLUME INFORMATION\_RESTORE

these don't come into play unless you perform a system restore, so are no problem...

& C:\QOOBOX\QUARANTINE

these are already quarantined & no problem...

Then it didn't find a lot more ...

I didn't want you to do anything with these, I was just making a statement... sorry if I confused you..

-
In post #30 I asked you this :-

Go to > Start > Run > type appwiz.cpl & click OK ... does Add/remove programs open ?

Go to C:\WINNT\system32 folder ... do you see a "rundll32.exe" file ?

your reply...

WHen I run appwiz.cpl I get an error message. It says appwiz.cpl is not a valid Win32 application.I also do not see it in the system32 folder. In fact, there is a blank spot on the screen where that file should be.


This sounds like you are referring to the appwiz.cpl file ?

So do you see a "rundll32.exe" file ?

The appwiz.cpl & the rundll32.exe should BOTH be in the C:\WINNT\system32 folder

Are they BOTH missing or just one of them ?


Continue with the latest Combofix CFScript.txt instructions and delete those files, then let me know if there is any improvement ?

steam
 
steamwiz said:
So do you see a "rundll32.exe" file ?

The appwiz.cpl & the rundll32.exe should BOTH be in the C:\WINNT\system32 folder

Are they BOTH missing or just one of them ?
Click to expand...

I do see the appwiz.cpl file in C:\WINNT\system32. I do not see rundll32.exe Like I said, there is a blank space in that file where the icon for rundll32.exe should be.

Further, on the control panel, when I click user accounts, I get the same error message about windows not being able to find rundll32.exe.

I do not how to get into the ADmin profile. It does not give me the choice on boot up and the User accounts link is not working. It does give me the option to boot into admin if I boot in safe mode. can I boot in Safe mode and run the new ComboFix instructions from there? If not, how else can I log in as Admin?
 
Here is the Panda Active scan log. It did not let me get rid of everything withoutpaying. I also ran Trend MicroHousecall, and got rid of whatit found, but it did not really give me a log.

Adware:Adware/ImageActiveXObject Not disinfected C:\Program Files\codec_setup.exe
Virus:Trj/Clicker.XQ Disinfected C:\Program Files\func.exe
Virus:Trj/Clicker.XQ Disinfected C:\Program Files\func.js
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.8.4.0\SpamBlockerUtility.exe.vir[SBTVSetup.exe][SBTVHelper.dll]
Adware:Adware/Popper Not disinfected C:\QooBox\Quarantine\C\WINNT\hkmheep.exe.vir
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINNT\rau001978.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\awtqqnn.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINNT\system32\fllhrxun.exe.vir
Virus:Trj/Downloader.PNC Disinfected C:\QooBox\Quarantine\C\WINNT\system32\G3\wr725.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\ljjkjii.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\nnnmjij.dll.vir
Virus:Trj/Passtealer.ED Disinfected C:\QooBox\Quarantine\C\WINNT\system32\nnnnmkj.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINNT\system32\rxpqxkpr.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\vturpmk.dll.vir
Adware:Adware/SuperSpider Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\winilc32.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\yaywvvw.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/Winpopup Not disinfected C:\SDFix\backups_old1\backups.zip[backups/b122.exe]
Virus:Trj/Downloader.NUS Disinfected C:\SDFix\backups_old1\backups.zip[backups/d.exe]
Virus:Trj/Downloader.OZB Disinfected C:\SDFix\backups_old1\backups.zip[backups/qwerty12.exe]
Virus:Trj/Downloader.OXI Disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun1.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][g4356cbvy63.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][uni_eh44.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][uninst1014.exe]
Adware:Adware/TTC Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun4.exe][TTC.dll]
Adware:Adware/SuperSpider Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun5.exe]
Virus:Generic Trojan Disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun6.exe~]
Adware:Adware/SuperSpider Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun8.exe~]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\SDFix\backups_old1\backups.zip[backups/UWA7P_0001_N91M0809NetInstaller.exe]
Adware:Adware/KeenValue Not disinfected C:\WINNT\browserxtras\pn\remove.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Administrator\Application Data\Mozilla\Firefox\Profiles\lal84xys.default\cookies.txt[.2o7.net/]
Spyware:Cookie/CentrPort Not disinfected C:\WINNT\Profiles\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.2o7.net/]
Spyware:Cookie/FastClick Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.tribalfusion.com/]
 
You must log in or register to reply here.
Back
Top