Lots of problems, HJT log included...

A

Andy Booth

New member
Ok, this afternoon my PC started acting really strangely. Firstly, I got alot of pop up windows in IE (which is strange because I use firefox), mainly they were to do with security programs. I closed them all, a little confused. Next thing I know, my current firefox window got redirected to the following URL...

http://89.188.16.13/trafc-2/rfe.php...=http://www.google.co.uk/ig?hl=en&affid=66973

It was a blank page....but that was in the address bar.

I was then in My Computer, browsing my C: Drive and Windows Explorer closed down (I lost my taskbar and icons on my desktop).

Restarted the computer...

When it starts up I have a small icon in my tray warning me about Security issues - i've never had this icon before...

Anyways, I come on here to see how to solve my problems!

I ran ad-aware, cleared up everything I could on there. Ran AVG Anti-Virus - again clearing everything. Ran an online test at panda (i'll put the log below). Ran Spybot and cleared everything. Restarted in safe mode and ran spybot again. Cleared. Ran sybot again and there was one that was still there - "Smitfraud -c". I ran it again and it still turned up again. Anyways, restarted my PC in normal mode and did a HJT log.

My pc has these problems maybe every 30 mins or so on average. Just a note, after messing around in safe mode and running spybot I no longer have the icon in the system tray but im still getting pop ups in IE and stuff...

Hope you can help :)

ONLINE SCAN:

Incident Status Location

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.adtech.de/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.888.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[www.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Serving-sys Not disinfected
 
C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.overture.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[server.iad.liveperson.net/hc/18692324]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[server.iad.liveperson.net/hc/6425137]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[server.iad.liveperson.net/hc/614779]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[server.iad.liveperson.net/hc/58032969]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Andy Booth\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\cookies.txt[.bfast.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@ad.yieldmanager[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@as-eu.falkag[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Andy Booth\Cookies\andy booth@www.winantivirus[1].txt
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Application Data\Mozilla\Firefox\Profiles\ci5aqdyj.default\Cache\B23E4567d01
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temp\b116.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temp\b122.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temp\mst48.tmp
Adware:Adware/DriveCleaner Not disinfectedC:\Documents and Settings\Andy Booth\Local Settings\Temp\mst50.tmp
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temp\~nsu.tmp\Au_.exe
Adware:Adware/SuperSpider Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temporary Internet Files\Content.IE5\CHOTCZAX\antzom[1].exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temporary Internet Files\Content.IE5\G7PALYON\anti4[1].exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temporary Internet Files\Content.IE5\SYZJB7M3\!update-4295[1].0000
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temporary Internet Files\Content.IE5\SYZJB7M3\mulbin32[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Andy Booth\Local Settings\Temporary Internet Files\Content.IE5\WJSHKNW5\wlzip32[1].exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{3C787136-0708-1033-0110-05040508002c}\system.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\aslpslqm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxywwv.dll
Adware:Adware/DriveCleaner Not disinfected C:\WINDOWS\system32\drvdit.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjkhef.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\winwly32.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\?icrosoft\cmd.exe
Adware:Adware/DriveCleaner Not disinfected C:\WINDOWS\Temp\mst7F.tmp
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\Temp\win80.tmp.exe

HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 21:50:44, on 05/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
 
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yijpl] C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160104731843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
 
Hi Andy Booth and welcome to Safer Networking Forums :)

You got infections there...

Rename HijackThis.exe to Scanner.exe

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis (scanner.exe) log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
 
Many thanks...

Here is the Vundo Log:

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 09:43:31 06/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\bkwotbh.dll
C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\system32\zxgahrl.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bkwotbh.dll
C:\WINDOWS\system32\bkwotbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\system32\winwly32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zxgahrl.dll
C:\WINDOWS\system32\zxgahrl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 09:54:11, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EasyPHP1-7\easyphp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DAF56EA-8E47-47E6-8977-090F8042B347} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {32988300-5A7B-1A62-93BD-09EF707022AA} - C:\WINDOWS\system32\lsgpjuk.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\dnoaosqv.dll (file missing)
O2 - BHO: (no name) - {4189FE61-B1A7-CAD6-0AB4-00B30028D2B8} - C:\WINDOWS\system32\jodhurb.dll
O2 - BHO: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {676786DA-9B5E-628D-56C4-02082FC40F91} - C:\WINDOWS\system32\tjmjwpm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\cbxywwv.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnaz.dll,startup
O4 - HKLM\..\Run: [pzokkrm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pzokkrm.dll,chfnfdb
O4 - HKLM\..\Run: [EasyPHP] "C:\Program Files\EasyPHP1-7\easyphp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yijpl] C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160104731843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbxywwv - C:\WINDOWS\SYSTEM32\cbxywwv.dll
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
 
Hi again :)

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
    • Click "Browse" on the 1. field.
      Browse to the following file and click the file with your mouse, press "Open"
      C:\WINDOWS\system32\cbxywwv.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Please let me know when you have done this and then we'll get you cleaned :bigthumb:
 
Hi and thank you for the upload, we'll continue :)
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
  • C:\WINDOWS\system32\cbxywwv.dll
  • C:\WINDOWS\system32\vwwyxbc.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
 
Ok here goes...

VUNDO:

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 09:43:31 06/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\bkwotbh.dll
C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\system32\zxgahrl.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bkwotbh.dll
C:\WINDOWS\system32\bkwotbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\system32\winwly32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zxgahrl.dll
C:\WINDOWS\system32\zxgahrl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\ssttr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 21:39:23 06/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxywwv.dll
C:\WINDOWS\system32\cbxywwv.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT
Logfile of HijackThis v1.99.1
Scan saved at 21:46:31, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EasyPHP1-7\easyphp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\hjt\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DAF56EA-8E47-47E6-8977-090F8042B347} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {32988300-5A7B-1A62-93BD-09EF707022AA} - C:\WINDOWS\system32\lsgpjuk.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\dnoaosqv.dll (file missing)
O2 - BHO: (no name) - {4189FE61-B1A7-CAD6-0AB4-00B30028D2B8} - C:\WINDOWS\system32\jodhurb.dll
O2 - BHO: (no name) - {41C4B12A-933B-47E5-8D82-BFAF58CB93ED} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {676786DA-9B5E-628D-56C4-02082FC40F91} - C:\WINDOWS\system32\tjmjwpm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnaz.dll,startup
O4 - HKLM\..\Run: [pzokkrm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pzokkrm.dll,chfnfdb
O4 - HKLM\..\Run: [EasyPHP] "C:\Program Files\EasyPHP1-7\easyphp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yijpl] C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160104731843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe

SmitFraudFix
SmitFraudFix v2.128

Scan done at 21:47:27.17, 06/12/2006
Run from C:\Documents and Settings\Andy Booth\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andy Booth


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andy Booth\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ANDYBO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

and any other programs you didn't install or don't recognize - if your not sure please ask first

Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: (no name) - {0DAF56EA-8E47-47E6-8977-090F8042B347} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {32988300-5A7B-1A62-93BD-09EF707022AA} - C:\WINDOWS\system32\lsgpjuk.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\dnoaosqv.dll (file missing)
O2 - BHO: (no name) - {4189FE61-B1A7-CAD6-0AB4-00B30028D2B8} - C:\WINDOWS\system32\jodhurb.dll
O2 - BHO: (no name) - {41C4B12A-933B-47E5-8D82-BFAF58CB93ED} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {4C18FA89-4249-1B9C-6B73-4331B5B4F6BE} - C:\WINDOWS\system32\krqgysnj.dll
O2 - BHO: (no name) - {676786DA-9B5E-628D-56C4-02082FC40F91} - C:\WINDOWS\system32\tjmjwpm.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnaz.dll,startup
O4 - HKLM\..\Run: [pzokkrm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pzokkrm.dll,chfnfdb
O4 - HKCU\..\Run: [Yijpl] C:\Documents and Settings\Andy Booth\My Documents\?ymantec\w?auboot.exe

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\krqgysnj.dll
C:\WINDOWS\system32\lsgpjuk.dll
C:\WINDOWS\system32\jodhurb.dll
C:\WINDOWS\system32\krqgysnj.dll
C:\WINDOWS\system32\tjmjwpm.dll
C:\WINDOWS\system32\drvnaz.dll
C:\WINDOWS\system32\pzokkrm.dll
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
 
Ok here goes...

HJT:Logfile of HijackThis v1.99.1
Scan saved at 14:42:46, on 07/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\EASYPH~1\Apache\apache.exe
C:\Program Files\EasyPHP1-7\easyphp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EasyPHP] "C:\Program Files\EasyPHP1-7\easyphp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160104731843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Apache - Unknown owner - C:\PROGRA~1\EASYPH~1\Apache\apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - C:\PROGRA~1\EASYPH~1\MySql\bin\mysqld.exe

AVG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:39:07 07/12/2006

+ Scan result:



C:\Documents and Settings\Andy Booth\Desktop\OiUninstaller.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{799649D8-58FF-4C3D-9DF6-44FCF28E8F26}\RP68\A0008540.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{799649D8-58FF-4C3D-9DF6-44FCF28E8F26}\RP66\A0007785.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Мicrosoft\cmd.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{799649D8-58FF-4C3D-9DF6-44FCF28E8F26}\RP66\A0007789.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{799649D8-58FF-4C3D-9DF6-44FCF28E8F26}\RP68\A0008465.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\winwly32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{799649D8-58FF-4C3D-9DF6-44FCF28E8F26}\RP68\A0008541.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end
 
Ok looks quite good :)
How is the computer running ?

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Havn't been on it much since i've done the fixes but havn't noticed any problems yet! Its generally running alot better, I was finding it awful slow at doing simple things like navigating my C: drive, which doesn't seem to be the case anymore :)

Here is the requested log...hope it looks ok :)

Andy Booth - 06-12-07 21:29:43.23 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Andy Booth\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3C787136-0708-1033-0110-05040508002c}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Andy Booth\My Documents\YMANTE~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1\?icrosoft


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-07 13:43 <DIR> d-------- C:\!KillBox
2006-12-07 13:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-06 09:43 <DIR> d-------- C:\VundoFix Backups
2006-12-06 01:03 <DIR> d-------- C:\Program Files\EasyPHP1-7
2006-12-05 23:41 <DIR> d-------- C:\WINDOWS\pss
2006-12-05 21:52 40,973 ---hs---- C:\WINDOWS\system32\tuvsssp.dll
2006-12-05 21:19 <DIR> d-------- C:\hjt
2006-12-05 20:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-05 19:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-05 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-05 18:09 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-05 16:38 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-05 16:33 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-05 16:33 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-05 16:33 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-05 16:33 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-05 16:33 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-05 16:33 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-05 16:33 <DIR> d-------- C:\Program Files\Grisoft
2006-12-05 16:33 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\AVG7
2006-12-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-05 09:49 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\Lavasoft
2006-12-05 09:47 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-05 09:18 88,340 --a------ C:\WINDOWS\system32\aslpslqm.exe
2006-12-05 09:11 72,704 --a------ C:\WINDOWS\system32\drvdit.dll
2006-12-05 09:11 40,973 ---hs---- C:\WINDOWS\system32\ljjkhef.dll
2006-12-05 00:10 <DIR> d-------- C:\Program Files\Plucker
2006-12-04 22:55 327,168 --a------ C:\WINDOWS\IsUninst.exe
2006-12-04 22:46 <DIR> d-------- C:\Program Files\Investintech.com Inc
2006-12-04 21:54 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\Leadertech
2006-12-04 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2006-12-04 21:52 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2006-12-04 21:52 <DIR> d-------- C:\Program Files\Palm
2006-12-04 21:52 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\HotSync
2006-11-27 23:30 <DIR> d-------- C:\Game Swapping
2006-11-15 13:37 <DIR> d-------- C:\Program Files\Azureus
2006-11-15 13:37 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\Azureus
2006-11-14 08:48 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\AdobeUM
2006-11-10 22:42 <DIR> d-------- C:\Documents and Settings\Andy Booth\Application Data\Alien Skin
2006-11-07 22:14 <DIR> d-------- C:\Program Files\PHP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 21:30 -------- d-------- C:\Program Files\Common Files
2006-12-07 21:26 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-05 20:33 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-12-05 20:24 -------- d-------- C:\Program Files\Internet Explorer
2006-12-04 23:01 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-04 22:55 -------- d-------- C:\Program Files\Adobe
2006-12-04 21:52 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2006-11-30 00:38 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Adobe
2006-11-24 13:16 -------- d-------- C:\Program Files\Winamp
2006-11-16 15:24 -------- d-------- C:\Program Files\Java
2006-11-16 15:02 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Macromedia
2006-11-16 15:01 -------- d-------- C:\Program Files\Macromedia
2006-11-16 15:00 -------- d---s---- C:\Documents and Settings\Andy Booth\Application Data\Microsoft
2006-11-16 15:00 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-11-15 14:01 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\OpenOffice.org2
2006-11-02 09:58 869 --a------ C:\Documents and Settings\Andy Booth\Application Data\AdobeDLM.log
2006-11-02 09:58 0 --a------ C:\Documents and Settings\Andy Booth\Application Data\dm.ini
2006-11-01 14:41 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-01 14:41 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-01 14:40 -------- d-------- C:\Program Files\Microsoft.NET
2006-11-01 14:40 -------- d-------- C:\Program Files\Microsoft Office
2006-10-23 21:22 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Help
2006-10-23 21:18 -------- d-------- C:\Program Files\Lexmark 640 Series
2006-10-21 08:33 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-10-19 21:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-19 21:56 -------- d-------- C:\Program Files\Creative
2006-10-19 21:43 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Red Chair Software
2006-10-18 08:22 -------- d-------- C:\Program Files\WinRAR
2006-10-17 18:23 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Nvu
2006-10-16 22:27 -------- d-------- C:\Program Files\Nvu
2006-10-14 22:50 -------- d-------- C:\Program Files\Microsoft XNA
2006-10-14 21:48 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-10-14 21:47 -------- d-------- C:\Program Files\Common Files\Designer
2006-10-13 20:46 -------- d-------- C:\Program Files\QuickTime
2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 10:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 13:41 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\Sun
2006-10-09 17:11 -------- d-------- C:\Documents and Settings\Andy Booth\Application Data\vlc
2006-10-05 21:37 0 -rahs---- C:\MSDOS.SYS
2006-10-05 21:37 0 -rahs---- C:\IO.SYS
2006-10-05 21:37 0 --a------ C:\CONFIG.SYS
2006-10-05 21:37 0 --a------ C:\AUTOEXEC.BAT
2006-10-05 14:27 62 --ahs---- C:\Documents and Settings\Andy Booth\Application Data\desktop.ini
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ftutil2"="rundll32.exe ftutil2.dll,SetWriteCacheMode"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"EasyPHP"="\"C:\\Program Files\\EasyPHP1-7\\easyphp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061207-132318-541
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnaz.dll,startup
backup-20061207-132318-616
O2 - BHO: (no name) - {676786DA-9B5E-628D-56C4-02082FC40F91} - C:\WINDOWS\system32\tjmjwpm.dll
backup-20061207-132318-296
O4 - HKLM\..\Run: [pzokkrm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pzokkrm.dll,chfnfdb
backup-20061207-132318-811
O2 - BHO: (no name) - {4189FE61-B1A7-CAD6-0AB4-00B30028D2B8} - C:\WINDOWS\system32\jodhurb.dll
backup-20061207-132318-947
O2 - BHO: (no name) - {41C4B12A-933B-47E5-8D82-BFAF58CB93ED} - C:\WINDOWS\system32\mljjj.dll (file missing)
backup-20061207-132318-846
O2 - BHO: (no name) - {32988300-5A7B-1A62-93BD-09EF707022AA} - C:\WINDOWS\system32\lsgpjuk.dll
backup-20061207-132318-544
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\dnoaosqv.dll (file missing)
backup-20061207-132318-699
O2 - BHO: (no name) - {0DAF56EA-8E47-47E6-8977-090F8042B347} - C:\WINDOWS\system32\ssttr.dll (file missing)
backup-20061207-132318-919
R3 - Default URLSearchHook is missing
Completion time: 06-12-07 21:30:21.62
C:\ComboFix.txt ... 06-12-07 21:30

Thanks
 
Hi again, it is looking quite good now :)

Please run Killbox.

Select "Delete on Reboot".
Select "All Files".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\tuvsssp.dll
C:\WINDOWS\system32\aslpslqm.exe
C:\WINDOWS\system32\drvdit.dll
C:\WINDOWS\system32\ljjkhef.dll
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Then if the computer is running fine:

You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls:
Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools we used.
You can remove the following backup folders:
C:\!Killbox
C:\Qoobox
C:\VundoFix Backups

Then you should update your Java to the latest version (5.0 update 10)
  • [*]Start
    [*]Control Panel
    [*]Add/Remove Programs
  • Delete the old Java, J2SE Runtime Environment 5.0 Update 9
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Install it
Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe ;)
 
Many thanks for all the help...

Just one question about the firewall though...do I really need one when im behind a router? I always thought the router did it for me....

Again, thanks alot, saved me alot of time and effort :cool:
 
Hi and you're welcome :)

Your router migh include a firewall. Those router firewalls doen't have inbound protection. That means that you can't manage which programs are connecting to the internet from your computer.

I use a router which has a firewall built in. I still use a software firewall too.
I would recommend that you install a software firewall but it is your choice.
 
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb:
 
You must log in or register to reply here.
Back
Top