Stuck at SpyBot, Spyware Blaster

A

Aspirex

New member
I downloaded SpyBot and ran it. It showed up various threats incl virtumonde, smitfraud, etc. Before I could do the repairs, I lost the SpyBot window.

So I re-opened it to re-run the scan. But this time, even before it reached 10% scan, it said "aborted by user" and stopped running. (even though I didn't touch anything). This happened twice. Now when I try to run SB, it doesn't open at all. I couldn't even uninstall or re-install it. Nothing happens when I double-click the icons.:lip:

I also downloaded Spyware Blaster. When I try to run setup , nothing happens.

Any help appreciated.
 
Hi Aspirex

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
Shaba, thanks for your kind help...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:03 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: DVwiz eToolbar - {B1CA4046-840C-481B-8E62-598D490D4617} - C:\PROGRA~1\DVwiz\DVWIZE~1\eToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fidhndky.dll
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jnvtxfsm.dll",sitypnow
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 4869 bytes
 
Hi

Rename HijackThis.exe to Aspirex.exe and post back a fresh HijackThis log, please :)
 
Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:36 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Aspirex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 2075 bytes
 
I don't know if I have screwed things up. :sad:

I tried to run Aspirex.exe but it said "HijackThis is already running" so I tried to re-install:oops:

Anyway I renamed the exe file now as Aspirex1.exe and here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:54 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\Aspirex.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Aspirex1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E333001-C05F-408C-9AB3-BC7A855AF8FC} - (no file)
O2 - BHO: (no name) - {6FA33910-E255-4B31-9BD1-EC0FEC495661} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\qommmkk.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\igddyomm.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ieoxvmjl.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: DVwiz eToolbar - {B1CA4046-840C-481B-8E62-598D490D4617} - C:\PROGRA~1\DVwiz\DVWIZE~1\eToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ieoxvmjl.dll
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jnvtxfsm.dll",sitypnow
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O20 - Winlogon Notify: ieoxvmjl - C:\WINDOWS\SYSTEM32\ieoxvmjl.dll
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\SYSTEM32\qommmkk.dll
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 6107 bytes
 
Hi

You have now 3 HijackThis programs running:

C:\Program Files\Trend Micro\HijackThis\Aspirex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\Aspirex1.exe

Use that one renamed to Aspirex1 in the future, please.

You can kill Aspirex.exe and HijackThis.exe via Task manager (ctrl + alt + del -> end process)

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report
 
Shaba, here is fresh HijackThis & Vundo report.
I ran Combo fix and I think it went up to "completed stage 1" then the pc rebooted. It didn't produce a log file. Shall I run Combofix again?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33, on 2007-10-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\systs.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Aspirex1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E333001-C05F-408C-9AB3-BC7A855AF8FC} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {CCD861F0-D014-4463-930C-D2C20FEE7B80} - (no file)
O2 - BHO: (no name) - {CFAD26AD-456E-4D65-9382-385225E7EE24} - C:\WINDOWS\system32\jkhff.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: DVwiz eToolbar - {B1CA4046-840C-481B-8E62-598D490D4617} - C:\PROGRA~1\DVwiz\DVWIZE~1\eToolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O20 - Winlogon Notify: fidhndky - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINDOWS\system32\systs.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 5331 bytes




VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:42:11 AM 10/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\igddyomm.dll
C:\WINDOWS\system32\jnvtxfsm.dll
C:\WINDOWS\system32\msfxtvnj.ini
C:\windows\system32\pmnomnm.dll
C:\WINDOWS\system32\qommmkk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\akdkgpzx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\igddyomm.dll
C:\WINDOWS\system32\igddyomm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jnvtxfsm.dll
C:\WINDOWS\system32\jnvtxfsm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\msfxtvnj.ini
C:\WINDOWS\system32\msfxtvnj.ini Has been deleted!

Attempting to delete C:\windows\system32\pmnomnm.dll
C:\windows\system32\pmnomnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\system32\qommmkk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\akdkgpzx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\system32\qommmkk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 2:24:01 PM 10/19/2007

Listing files found while scanning....
 
OK. I ran combofix. I think it went to stage 30. It didn't show up any logfiles but I found this text file in the combofix folder.

=================================
ComboFix 07-10-17.8@ - XP 2007-10-19 15:56:17.2 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
===============================

Also when I run combofix, my pc-cillin prompts that it has detected spyware "Freeloader_Smitfraud" in this file: dumphive.cfexe (which I noticed is a file in the combofix dir)
I was not sure whether to remove or ignore.

.
 
Hi

"
Also when I run combofix, my pc-cillin prompts that it has detected spyware "Freeloader_Smitfraud" in this file: dumphive.cfexe (which I noticed is a file in the combofix dir)
I was not sure whether to remove or ignore."

That is false positive.

You should ignore it.

Try to run combofix in safe mode.
 
Here is combofix log:

ComboFix 07-10-17.8@ - XP 2007-10-20 17:39:22.3 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\WINDOWS\bck1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ffhkj.tmp
C:\WINDOWS\system32\ffhkj.tmp
C:\WINDOWS\system32\ffhkj.tmp
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\icsyvbqw.ini
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\ofdnlmhv.dll
C:\WINDOWS\system32\wqbvysci.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-19 11:42 <DIR> d-------- C:\VundoFix Backups
2007-10-18 15:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-10-18 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-16 10:11 <DIR> d-------- C:\Program Files\Free Download Manager
2007-10-16 10:11 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Free Download Manager
2007-10-16 10:11 <DIR> d-------- C:\DOCUME~1\XP\APPLIC~1\Free Download Manager
2007-10-13 23:21 27,648 --------- C:\sugpw.exe
2007-10-13 17:39 <DIR> d-------- C:\Program Files\QuickTime
2007-10-13 17:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 09:25 340,032 ----a-w C:\WINDOWS\system32\unykyzmh.dll
2007-10-20 09:25 340,032 ----a-w C:\WINDOWS\system32\aunkbtwd.dll
2007-10-19 06:37 103,936 --sha-r C:\WINDOWS\system32\systs.exe
2007-10-19 03:59 32,768 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-19 03:27 397,376 ----a-w C:\WINDOWS\system32\skvpsmwh.exe
2007-10-19 03:27 339,968 ----a-w C:\WINDOWS\system32\akdkgpzx.dll
2007-10-18 15:54 397,376 ----a-w C:\WINDOWS\system32\kusqvfjb.exe
2007-10-18 15:54 339,968 ----a-w C:\WINDOWS\system32\iwiziijd.dll
2007-10-18 14:52 339,968 ----a-w C:\WINDOWS\system32\ieoxvmjl.dll
2007-10-18 14:51 397,376 ----a-w C:\WINDOWS\system32\isueenpp.exe
2007-10-18 14:35 339,968 ----a-w C:\WINDOWS\system32\ifspxgie.dll
2007-10-18 14:34 397,376 ----a-w C:\WINDOWS\system32\ftedgtmg.exe
2007-10-18 10:34 --------- d-----w C:\Program Files\Trend Micro
2007-10-18 09:51 397,376 ----a-w C:\WINDOWS\system32\ddfrxwkb.exe
2007-10-18 09:51 339,968 ----a-w C:\WINDOWS\system32\fidhndky.dll
2007-10-18 09:04 397,376 ----a-w C:\WINDOWS\system32\bjkawuma.exe
2007-10-18 09:04 339,968 ----a-w C:\WINDOWS\system32\orkcvhrr.dll
2007-10-18 03:33 397,376 ----a-w C:\WINDOWS\system32\bmtefpbf.exe
2007-10-18 03:02 397,376 ----a-w C:\WINDOWS\system32\lqxpjdxs.exe
2007-10-17 14:05 397,376 ----a-w C:\WINDOWS\system32\lefvthis.exe
2007-10-17 13:46 397,376 ----a-w C:\WINDOWS\system32\ylevlayd.exe
2007-10-16 13:48 397,376 ----a-w C:\WINDOWS\system32\byhvqkgr.exe
2007-10-16 09:04 --------- d-----w C:\Program Files\Infogrames Interactive
2007-10-16 09:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-14 15:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-05-14 14:26 1,622 ----a-w C:\Program Files\INSTALL.LOG
2001-09-28 09:00 171,520 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E333001-C05F-408C-9AB3-BC7A855AF8FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-20 17:25 340032 --a------ C:\WINDOWS\system32\unykyzmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD861F0-D014-4463-930C-D2C20FEE7B80}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B1CA4046-840C-481B-8E62-598D490D4617}"= C:\PROGRA~1\DVwiz\DVWIZE~1\eToolbar.dll [2004-01-16 00:45 944640]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\unykyzmh.dll [2007-10-20 17:25 340032]

[HKEY_CLASSES_ROOT\CLSID\{B1CA4046-840C-481B-8E62-598D490D4617}]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" [2006-08-25 11:25]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-13 17:40]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-15 04:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 08:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
j2 4.2.lnk - C:\Program Files\j2 Messenger 4.2\J2GTray.exe [2006-09-27 13:52:37]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-09-14 00:25:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fidhndky]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unykyzmh]
unykyzmh.dll 2007-10-20 17:25 340032 C:\WINDOWS\system32\unykyzmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhff.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1783a936-47e0-11db-b4cb-806d6172696f}]
AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68162f83-4341-11db-8f27-806d6172696f}]
AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b0aef79-49f6-11db-b4d6-98d035f3ea85}]
AutoRun\command - F:\autorun.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 18:20:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 18:27:12 - machine was rebooted
.
--- E O F ---
 
Hi

Thanks for info :)

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\unykyzmh.dll
C:\WINDOWS\system32\aunkbtwd.dll
C:\WINDOWS\system32\systs.exe
C:\WINDOWS\system32\skvpsmwh.exe
C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\kusqvfjb.exe
C:\WINDOWS\system32\iwiziijd.dll
C:\WINDOWS\system32\ieoxvmjl.dll
C:\WINDOWS\system32\isueenpp.exe
C:\WINDOWS\system32\ifspxgie.dll
C:\WINDOWS\system32\ftedgtmg.exe
C:\WINDOWS\system32\ddfrxwkb.exe
C:\WINDOWS\system32\fidhndky.dll
C:\WINDOWS\system32\bjkawuma.exe
C:\WINDOWS\system32\orkcvhrr.dll
C:\WINDOWS\system32\bmtefpbf.exe
C:\WINDOWS\system32\lqxpjdxs.exe
C:\WINDOWS\system32\lefvthis.exe
C:\WINDOWS\system32\ylevlayd.exe
C:\WINDOWS\system32\byhvqkgr.exe
C:\sugpw.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E333001-C05F-408C-9AB3-BC7A855AF8FC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD861F0-D014-4463-930C-D2C20FEE7B80}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-

[-HKEY_CLASSES_ROOT\CLSID\{B1CA4046-840C-481B-8E62-598D490D4617}]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fidhndky]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unykyzmh]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Shaba,
I tried dragging CFScript.txt on to the ComboFix but Combofix doesn't run when I do that. The 2 icons simply exchange places on my desktop.
I disabled auto-arrange and tried it again. This time the CFSript icon simply sits on top of the ComboFix icon.:sad:

This is probably something simple but I can't figure it out. :sad: Feel like a fool:red: Help?
 
Hi

Well then we use other ways:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E333001-C05F-408C-9AB3-BC7A855AF8FC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD861F0-D014-4463-930C-D2C20FEE7B80}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-

[-HKEY_CLASSES_ROOT\CLSID\{B1CA4046-840C-481B-8E62-598D490D4617}]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fidhndky]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unykyzmh]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please download the Killbox.
Unzip it to the desktop

Please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\unykyzmh.dll
C:\WINDOWS\system32\aunkbtwd.dll
C:\WINDOWS\system32\systs.exe
C:\WINDOWS\system32\skvpsmwh.exe
C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\kusqvfjb.exe
C:\WINDOWS\system32\iwiziijd.dll
C:\WINDOWS\system32\ieoxvmjl.dll
C:\WINDOWS\system32\isueenpp.exe
C:\WINDOWS\system32\ifspxgie.dll
C:\WINDOWS\system32\ftedgtmg.exe
C:\WINDOWS\system32\ddfrxwkb.exe
C:\WINDOWS\system32\fidhndky.dll
C:\WINDOWS\system32\bjkawuma.exe
C:\WINDOWS\system32\orkcvhrr.dll
C:\WINDOWS\system32\bmtefpbf.exe
C:\WINDOWS\system32\lqxpjdxs.exe
C:\WINDOWS\system32\lefvthis.exe
C:\WINDOWS\system32\ylevlayd.exe
C:\WINDOWS\system32\byhvqkgr.exe
C:\sugpw.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Re-run combofix

Post:

- a fresh hijackthis log
- combofix report
 
==================================
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
===================================
Shaba, I followed this and clicked "Yes". (But there was no further prompt for Pending Operations. )
My PC rebooted and asked for password to login to my account. :sick: I have never used a password to my account!
I shutdown tried again and same thing. Finally I rebooted, went to F8 & selected "restore last known good configuration." Would I need to run Killbox again?

Anyway I ran Combofix & Hijackthis after that; here are the reports you asked for:

ComboFix

ComboFix 07-10-17.8@ - XP 2007-10-22 15:22:47.4 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-20 17:25 340,032 --a------ C:\WINDOWS\system32\aunkbtwd.dll
2007-10-19 15:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 14:37 103,936 -rahs---- C:\WINDOWS\system32\systs.exe
2007-10-19 11:59 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-19 11:42 <DIR> d-------- C:\VundoFix Backups
2007-10-19 11:28 339,968 --a------ C:\WINDOWS\system32\akdkgpzx.dll
2007-10-19 11:27 397,376 --a------ C:\WINDOWS\system32\skvpsmwh.exe
2007-10-18 23:55 339,968 --a------ C:\WINDOWS\system32\iwiziijd.dll
2007-10-18 23:54 397,376 --a------ C:\WINDOWS\system32\kusqvfjb.exe
2007-10-18 22:52 339,968 --a------ C:\WINDOWS\system32\ieoxvmjl.dll
2007-10-18 22:51 397,376 --a------ C:\WINDOWS\system32\isueenpp.exe
2007-10-18 22:35 339,968 --a------ C:\WINDOWS\system32\ifspxgie.dll
2007-10-18 22:34 397,376 --a------ C:\WINDOWS\system32\ftedgtmg.exe
2007-10-18 17:52 339,968 --a------ C:\WINDOWS\system32\fidhndky.dll
2007-10-18 17:51 397,376 --a------ C:\WINDOWS\system32\ddfrxwkb.exe
2007-10-18 17:04 397,376 --a------ C:\WINDOWS\system32\bjkawuma.exe
2007-10-18 17:04 339,968 --a------ C:\WINDOWS\system32\orkcvhrr.dll
2007-10-18 15:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-18 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 11:32 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-18 11:32 397,376 --a------ C:\WINDOWS\system32\bmtefpbf.exe
2007-10-18 11:02 397,376 --a------ C:\WINDOWS\system32\lqxpjdxs.exe
2007-10-17 22:05 397,376 --a------ C:\WINDOWS\system32\lefvthis.exe
2007-10-17 21:46 397,376 --a------ C:\WINDOWS\system32\ylevlayd.exe
2007-10-17 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-17 17:38 <DIR> d-------- C:\WINDOWS\pss
2007-10-16 21:47 397,376 --a------ C:\WINDOWS\system32\byhvqkgr.exe
2007-10-16 10:11 <DIR> d-------- C:\Program Files\Free Download Manager
2007-10-16 10:11 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Free Download Manager
2007-10-15 10:39 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-10-15 10:39 106 --ahs---- C:\WINDOWS\system32\340418025.dat
2007-10-13 23:21 27,648 --------- C:\sugpw.exe
2007-10-13 17:40 94,208 --a------ C:\WINDOWS\unvise32qt.exe
2007-10-13 17:39 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-13 17:39 <DIR> d-------- C:\Program Files\QuickTime
2007-10-13 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 10:34 --------- d-----w C:\Program Files\Trend Micro
2007-10-16 09:04 --------- d-----w C:\Program Files\Infogrames Interactive
2007-10-16 09:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-14 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-05-14 14:26 1,622 ----a-w C:\Program Files\INSTALL.LOG
2001-09-28 09:00 171,520 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_18.24.38.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 10:19:37 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-22 07:12:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-20 10:19:37 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-22 07:12:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-20 10:19:37 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-22 07:12:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E333001-C05F-408C-9AB3-BC7A855AF8FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD861F0-D014-4463-930C-D2C20FEE7B80}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" [2006-08-25 11:25]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-13 17:40]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-15 04:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
j2 4.2.lnk - C:\Program Files\j2 Messenger 4.2\J2GTray.exe [2006-09-27 13:52:37]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-09-14 00:25:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unykyzmh]
unykyzmh.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1783a936-47e0-11db-b4cb-806d6172696f}]
AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68162f83-4341-11db-8f27-806d6172696f}]
AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b0aef79-49f6-11db-b4d6-98d035f3ea85}]
AutoRun\command - F:\autorun.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 15:28:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-22 15:31:11
C:\ComboFix2.txt ... 2007-10-20 18:27
.
--- E O F ---

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:28 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\systs.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Aspirex1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E333001-C05F-408C-9AB3-BC7A855AF8FC} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {CCD861F0-D014-4463-930C-D2C20FEE7B80} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {B1CA4046-840C-481B-8E62-598D490D4617} - (no file)
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O20 - Winlogon Notify: unykyzmh - unykyzmh.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINDOWS\system32\systs.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 5143 bytes
 
Hi

No success, we try then manual way:

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <-- unless you have set it
O2 - BHO: (no name) - {CCD861F0-D014-4463-930C-D2C20FEE7B80} - (no file)
O3 - Toolbar: (no name) - {B1CA4046-840C-481B-8E62-598D490D4617} - (no file)
O20 - Winlogon Notify: unykyzmh - unykyzmh.dll (file missing)
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINDOWS\system32\systs.exe

Close all windows including browser and press fix checked.

Reboot.

Make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

You can re-hide them again after you're clean

Delete these:

C:\WINDOWS\system32\unykyzmh.dll
C:\WINDOWS\system32\aunkbtwd.dll
C:\WINDOWS\system32\systs.exe
C:\WINDOWS\system32\skvpsmwh.exe
C:\WINDOWS\system32\akdkgpzx.dll
C:\WINDOWS\system32\kusqvfjb.exe
C:\WINDOWS\system32\iwiziijd.dll
C:\WINDOWS\system32\ieoxvmjl.dll
C:\WINDOWS\system32\isueenpp.exe
C:\WINDOWS\system32\ifspxgie.dll
C:\WINDOWS\system32\ftedgtmg.exe
C:\WINDOWS\system32\ddfrxwkb.exe
C:\WINDOWS\system32\fidhndky.dll
C:\WINDOWS\system32\bjkawuma.exe
C:\WINDOWS\system32\orkcvhrr.dll
C:\WINDOWS\system32\bmtefpbf.exe
C:\WINDOWS\system32\lqxpjdxs.exe
C:\WINDOWS\system32\lefvthis.exe
C:\WINDOWS\system32\ylevlayd.exe
C:\WINDOWS\system32\byhvqkgr.exe
C:\sugpw.exe

Empty Recycle Bin


Re-run combofix

Post:

- a fresh hijackthis log
- combofix report
 
You must log in or register to reply here.
Back
Top