Smitfraud-C., Virtumonde, and Toolbar888

B

backusbrown

New member
I can't get rid of stupid Smitfraud-C. and VirtuMonde and they keep reinstalling other things. I've hit install on deldomain.inf and that seemed to help, but the problem is still there. Also, for some reason, I can get windows updates. Any help would be appreciated. Thanks in advance.

Here is my HiJack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:44:45 AM, on 2/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\scrovfpo.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator.ANDREA\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\twelnvlb.dll",setvm
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 
Hi backusbrown

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
 
Sorry, couldn't get online on that computer. I'll do this when I go home and post the log tonight or in the morning. Thanks for your help.
:lip:
 
new hjt log

I renamed Hijack this HJT.exe and ran it again. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:13 PM, on 2/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator.ANDREA\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\pavmfakp.dll
O2 - BHO: (no name) - {7836DF51-7C0A-4DEE-9B5B-A87FD1CBE8DC} - C:\WINDOWS\Registration\smvcxep.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\oppnm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: oppnm - C:\WINDOWS\SYSTEM32\oppnm.dll
O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
O20 - Winlogon Notify: smvcxep - C:\WINDOWS\Registration\smvcxep.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 
Thanks!

Thanks, Shaba. Did it fix everything?


VundoFix V6.3.6

Checking Java version...

Java version is 1.5.0.3

Scan started at 9:36:26 PM 2/11/2007

Listing files found while scanning....

C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\Registration\pexcvms.bak1
C:\WINDOWS\Registration\pexcvms.bak2
C:\WINDOWS\Registration\pexcvms.ini
C:\WINDOWS\Registration\pexcvms.ini2
C:\WINDOWS\Registration\pexcvms.tmp
C:\WINDOWS\Registration\smvcxep.dll
C:\WINDOWS\SYSTEM32\bjieyumn.exe
C:\WINDOWS\SYSTEM32\blvnlewt.ini
C:\WINDOWS\SYSTEM32\budkfmmh.exe
C:\WINDOWS\SYSTEM32\csomucoi.dll
C:\WINDOWS\System32\Drivers\DP.sys
C:\WINDOWS\SYSTEM32\dwtcoyyw.dll
C:\WINDOWS\SYSTEM32\fccbc.dll
C:\WINDOWS\SYSTEM32\fegdsauj.ini
C:\WINDOWS\SYSTEM32\hqudettv.dll
C:\WINDOWS\SYSTEM32\iocumosc.ini
C:\WINDOWS\SYSTEM32\jbjaveon.exe
C:\WINDOWS\SYSTEM32\juasdgef.dll
C:\WINDOWS\SYSTEM32\kxlkkwqw.exe
C:\WINDOWS\SYSTEM32\lpxrmimo.ini
C:\WINDOWS\SYSTEM32\nfitrqgh.dll
C:\WINDOWS\SYSTEM32\omimrxpl.dll
C:\WINDOWS\SYSTEM32\oppnm.dll
C:\WINDOWS\SYSTEM32\ordmqagy.ini
C:\WINDOWS\SYSTEM32\ousbegtv.dll
C:\WINDOWS\System32\pavmfakp.dll
C:\WINDOWS\SYSTEM32\pooreafn.dll
C:\WINDOWS\SYSTEM32\rhscpvcs.exe
C:\WINDOWS\SYSTEM32\rjjjawpw.ini
C:\WINDOWS\SYSTEM32\tdotdbhx.exe
C:\WINDOWS\SYSTEM32\tfhlrvfs.exe
C:\WINDOWS\SYSTEM32\tsqnfuaw.dll
C:\WINDOWS\SYSTEM32\tttumvoy.dll
C:\WINDOWS\SYSTEM32\twelnvlb.dll
C:\WINDOWS\SYSTEM32\vtgebsuo.ini
C:\WINDOWS\SYSTEM32\vtteduqh.ini
C:\WINDOWS\SYSTEM32\waufnqst.ini
C:\WINDOWS\SYSTEM32\wpwajjjr.dll
C:\WINDOWS\SYSTEM32\wyyoctwd.ini
C:\WINDOWS\SYSTEM32\xhbouhpp.dll
C:\WINDOWS\SYSTEM32\ygaqmdro.dll
C:\WINDOWS\SYSTEM32\yovmuttt.ini

Beginning removal...

Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll Has been deleted!

Attempting to delete C:\WINDOWS\Registration\pexcvms.bak1
C:\WINDOWS\Registration\pexcvms.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Registration\pexcvms.bak2
C:\WINDOWS\Registration\pexcvms.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Registration\pexcvms.ini
C:\WINDOWS\Registration\pexcvms.ini Has been deleted!

Attempting to delete C:\WINDOWS\Registration\pexcvms.ini2
C:\WINDOWS\Registration\pexcvms.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Registration\pexcvms.tmp
C:\WINDOWS\Registration\pexcvms.tmp Has been deleted!

Attempting to delete C:\WINDOWS\Registration\smvcxep.dll
C:\WINDOWS\Registration\smvcxep.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\bjieyumn.exe
C:\WINDOWS\SYSTEM32\bjieyumn.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\blvnlewt.ini
C:\WINDOWS\SYSTEM32\blvnlewt.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\budkfmmh.exe
C:\WINDOWS\SYSTEM32\budkfmmh.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\csomucoi.dll
C:\WINDOWS\SYSTEM32\csomucoi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\Drivers\DP.sys
C:\WINDOWS\System32\Drivers\DP.sys Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\dwtcoyyw.dll
C:\WINDOWS\SYSTEM32\dwtcoyyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fccbc.dll
C:\WINDOWS\SYSTEM32\fccbc.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fegdsauj.ini
C:\WINDOWS\SYSTEM32\fegdsauj.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hqudettv.dll
C:\WINDOWS\SYSTEM32\hqudettv.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\iocumosc.ini
C:\WINDOWS\SYSTEM32\iocumosc.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jbjaveon.exe
C:\WINDOWS\SYSTEM32\jbjaveon.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\juasdgef.dll
C:\WINDOWS\SYSTEM32\juasdgef.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kxlkkwqw.exe
C:\WINDOWS\SYSTEM32\kxlkkwqw.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lpxrmimo.ini
C:\WINDOWS\SYSTEM32\lpxrmimo.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\nfitrqgh.dll
C:\WINDOWS\SYSTEM32\nfitrqgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\omimrxpl.dll
C:\WINDOWS\SYSTEM32\omimrxpl.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\oppnm.dll
C:\WINDOWS\SYSTEM32\oppnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ordmqagy.ini
C:\WINDOWS\SYSTEM32\ordmqagy.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ousbegtv.dll
C:\WINDOWS\SYSTEM32\ousbegtv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\pavmfakp.dll
C:\WINDOWS\System32\pavmfakp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pooreafn.dll
C:\WINDOWS\SYSTEM32\pooreafn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rhscpvcs.exe
C:\WINDOWS\SYSTEM32\rhscpvcs.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rjjjawpw.ini
C:\WINDOWS\SYSTEM32\rjjjawpw.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tdotdbhx.exe
C:\WINDOWS\SYSTEM32\tdotdbhx.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tfhlrvfs.exe
C:\WINDOWS\SYSTEM32\tfhlrvfs.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tsqnfuaw.dll
C:\WINDOWS\SYSTEM32\tsqnfuaw.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tttumvoy.dll
C:\WINDOWS\SYSTEM32\tttumvoy.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\twelnvlb.dll
C:\WINDOWS\SYSTEM32\twelnvlb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vtgebsuo.ini
C:\WINDOWS\SYSTEM32\vtgebsuo.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vtteduqh.ini
C:\WINDOWS\SYSTEM32\vtteduqh.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\waufnqst.ini
C:\WINDOWS\SYSTEM32\waufnqst.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wpwajjjr.dll
C:\WINDOWS\SYSTEM32\wpwajjjr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wyyoctwd.ini
C:\WINDOWS\SYSTEM32\wyyoctwd.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\xhbouhpp.dll
C:\WINDOWS\SYSTEM32\xhbouhpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ygaqmdro.dll
C:\WINDOWS\SYSTEM32\ygaqmdro.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yovmuttt.ini
C:\WINDOWS\SYSTEM32\yovmuttt.ini Has been deleted!

Performing Repairs to the registry.
Done!
 
and here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:56 PM, on 2/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\scrovfpo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.ANDREA\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4BE7C357-6B3C-4013-B604-5FB56B43552D} - C:\WINDOWS\Registration\smvcxep.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\pavmfakp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\oppnm.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 
Hi

Not yet, you have some infections left and some of them aren't nice at all.

At this stage you'll need to install antivirus and firewall in order to prevent getting more infected:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After those steps, please send a fresh HijackThis log :)
 
Last edited:
I installed the suggested programs and my computer is running with even more difficulty than before. I hope we're nearing the end of the tunnel. Here's the new HTJ log.

When antivir asks me what to do with specific files, should I "Delete" them, quarantine them, ignore, or what?

Logfile of HijackThis v1.99.1
Scan saved at 11:45:09 PM, on 2/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Documents and Settings\Administrator.ANDREA\Desktop\hjt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\scrovfpo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4BE7C357-6B3C-4013-B604-5FB56B43552D} - C:\WINDOWS\Registration\smvcxep.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\pavmfakp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\oppnm.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Hi

Quarantine is always the safest way. And I'm afraid that cleaning process actually starts.

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {4BE7C357-6B3C-4013-B604-5FB56B43552D} - C:\WINDOWS\Registration\smvcxep.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\pavmfakp.dll (file missing)
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\oppnm.dll (file missing)
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll

Close all windows including browser and press fix checked

Please download the Killbox.
Unzip it to the desktop

Please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
C:\WINDOWS\System32\scrovfpo.dll
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
C:\WINDOWS\System32\tzo.dll
C:\WINDOWS\System32\sysiusrc.dll
C:\WINDOWS\System32\hhsedpvo.dll


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Send a fresh HijackThis log
 
I couldn't delete all of the things you suggested with HJT. Here's the new log. Thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:23:01 PM, on 2/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Administrator.ANDREA\Desktop\h.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll

Close all windows including browser and press fix checked.

Reboot

Send a fresh HijackThis log
 
Wow, thanks, things seem to be running much more smoothly. Here's the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:38:11 PM, on 2/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator.ANDREA\Desktop\h.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [ÿ_zskezavqdoc]hksw[rx50inkrwksz_] c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O21 - SSODL: bpDcBWwbj - {4067F07B-EACD-5AD1-A036-3AE669C9FB0F} - C:\WINDOWS\System32\tzo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Hi

Yes, but next step is rootkit scan because some files/entries won't go away.

Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
 
02/17/07 17:01:08 [Info]: BlackLight Engine 1.0.55 initialized
02/17/07 17:01:08 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/17/07 17:01:09 [Note]: 7019 4
02/17/07 17:01:09 [Note]: 7005 0
02/17/07 17:01:27 [Note]: 7006 0
02/17/07 17:01:28 [Note]: 7011 1008
02/17/07 17:01:28 [Note]: 7026 0
02/17/07 17:01:28 [Note]: 7026 0
02/17/07 17:01:40 [Note]: FSRAW library version 1.7.1021
02/17/07 17:13:25 [Note]: 2000 1012
02/17/07 17:16:06 [Note]: 7007 0
 
Hi

Next staruplist:

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post
 
sorry that took so long. I appreciate the help. Here's the startup log.


StartupList report, 2/18/2007, 3:02:27 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator.ANDREA\Desktop\h.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and Settings\Administrator.ANDREA\Desktop\h.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
ÿ_zskezavqdoc]hksw[rx50inkrwksz_ = c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ÿ_zskezavqdoc]hksw[rx50inkrwksz_ = c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000162-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
bpDcBWwbj: C:\WINDOWS\System32\tzo.dll

--------------------------------------------------
End of report, 5,542 bytes
Report generated in 0.260 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Hi

Please do also this:

"Check off the 2 boxes next to the Box that says "Generate StartupList log""

Send a fresh startuplist :)
 
Sorry, here's the new startup list:

StartupList report, 2/18/2007, 3:02:27 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator.ANDREA\Desktop\h.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and Settings\Administrator.ANDREA\Desktop\h.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
ÿ_zskezavqdoc]hksw[rx50inkrwksz_ = c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ÿ_zskezavqdoc]hksw[rx50inkrwksz_ = c:\windows\system32\_zskwrkni05xr[wskh]codqvaze.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000162-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
bpDcBWwbj: C:\WINDOWS\System32\tzo.dll

--------------------------------------------------
End of report, 5,542 bytes
Report generated in 0.260 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Hi

I mean that check these two boxes:

List also minor sections (full)
Listy empty sections (complete)

And after that click Generate startuplist log :)
 
You must log in or register to reply here.
Back
Top