Virtumonde, Microsoft.WindowsSecurityCenter.FirewallBypass, and Right Media Issues...

Status
Not open for further replies.
Thanks fore returning the MBAM log and it did remove some junk but you are still infected. I strongly suggest you stay offline when not working of these problems until we kill all of the junk.

It is likely you have a rootkit infection: http://en.wikipedia.org/wiki/Rootkit
which is blocking the tools we are trying to use. I would like to try to run Smitfraudfix again, make sure you delete any old copies and download it new from the instructions. There is no need to run the "Search" function, move to the instructions in my post #7 once you have it installed on the Desktop and follow those direction if you can, posting: the C:\rapport.txt and a new HJT log.

I also sent you a private message and would like to be sure you saw it. You want to watch your junk mail during these session, the filters do not know Safer Networking email and may assume it is junk.

Thanks...Phil
 
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
 
Unless its some kind of trick, I believe I deleted everything from Smitfraudfix and reinstalled it but still nothing.
 
First instructions:
I suggest you keep this computer offline except when troubleshooting, the junk may download more.
Click to expand...

I need you to read the directions carefully, when I request information, you need to provide it.
I also sent you a private message and would like to be sure you saw it. You want to watch your junk mail during these session, the filters do not know Safer Networking email and may assume it is junk.
Click to expand...
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
Click to expand...
I am not yet sure what is going on with this computer, due mostly to the fact you have been able to run only one tool so far and information I should have by now, I do not. You must control the computer until we finish and there must be no routine use.

Let's see if we can use Spybot S&D to check that Hosts files, please do this:

Open Spybot S&D > click on Mode and make sure Advanced Mode is checked > Left column choose Tools > Look for Hosts file and click "Take a look at your hosts list. Near the top is a green cross with "Add Spybot-S&D hosts list. Click on that, it will take a few minutes to refresh the list and it will replace anything corrupted with a clean Hosts list.

Let's give combofix another try, refer back to my post #12.

Let me know how it goes, hopefully you will post a combofix report.

I am interested in the performance of the computer at this point also.

Thanks
 
pskelley said:
First instructions:


I need you to read the directions carefully, when I request information, you need to provide it.


I am not yet sure what is going on with this computer, due mostly to the fact you have been able to run only one tool so far and information I should have by now, I do not. You must control the computer until we finish and there must be no routine use.

Let's see if we can use Spybot S&D to check that Hosts files, please do this:

Open Spybot S&D > click on Mode and make sure Advanced Mode is checked > Left column choose Tools > Look for Hosts file and click "Take a look at your hosts list. Near the top is a green cross with "Add Spybot-S&D hosts list. Click on that, it will take a few minutes to refresh the list and it will replace anything corrupted with a clean Hosts list.

Let's give combofix another try, refer back to my post #12.

Let me know how it goes, hopefully you will post a combofix report.

I am interested in the performance of the computer at this point also.

Thanks
Click to expand...

"I suggest you keep this computer offline except when troubleshooting, the junk may download more."

What do you mean by that? I have the computer in safe mode with networking JUST so I can view this forum and try to download the things you are requesting.
 
I also got your Private Message and I understand that your only on here early in the morning to assist people
 
No. I did what you wanted with spybot search and destroy. That worked fine besides it did not take a couple of minutes like you said it only took a couple of seconds, part of virus, I dont know. Then I tried ComboFix.exe and same result. It starts to scroll like its about to open then nothing it goes right back to my main desktop screen.
 
It is not wise to be online with "safe mode in networking" keep in mind that none of your security programs are running.

I asked this:
I am interested in the performance of the computer at this point also.
Click to expand...
I am not sure how much I can do since you can not run any tools. I am beginning to believe you have Windows problem other than malware and the you may want to consider a reformat:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

You could try a repair or reinstall of the Operating system, but with a reformat, you would be assured of a clean computer.

Thanks
 
The performance is the same.

What should I be in? Just Safe mode?

I was just going to bring it to GeekSquad...Not a good idea since they most likely going to uninstal and reinstal the operating system?

What does reformating do? Does it say that in the links?

I am also rerunning the "Malwarebytes' Anti-Malware" software and see whay happends, so far it says "objects infected" is 12. I am only running drive C.
 
I may have suggested you try combofix in safe mode, and Smitfraudfix "Clean" function is:
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Click to expand...

at no time did I suggest safe mode with networking. But none of that is going to change the information I posted concerning the computer and the difficulty running the basic malware tools.

Thanks
 
Not that this is going to help any but here is the NEW mbam log and the newhjt log:

Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 3

11/9/2008 2:19:26 PM
mbam-log-2008-11-09 (14-19-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 119693
Time elapsed: 23 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\vunazimu.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28a16726 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suvolakoji (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\vunazimu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\vunazimu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dopejujo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojujepod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wadubebe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebebudaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vunazimu.dll (Trojan.Agent) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:25:17, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\findstr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\vunazimu.dll",a
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12111 bytes
 
C:\Documents and Settings\Jack Berry\Desktop\SmitfraudFix\Policies.exe <<< please delete Smitfraudfix from the computer

C:\WINDOWS\system32\cmd.execf <<< not sure what this is, here is some information:
http://www.systemlookup.com/Startup/2031.html
We will remove that file.

Remove (delete) combofix from the computer


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\vunazimu.dll",a
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\keyutova.dll c:\windows\system32\jayajuho.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\fedoniko.dll

C:\WINDOWS\system32\cmd.execf

c:\windows\system32\vunazimu.dll

C:\WINDOWS\system32\vobuturi.dll

C:\WINDOWS\system32\keyutova.dll

c:\windows\system32\jayajuho.dll

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Make sure you restart the computer:

6) Give this scan a run, it does not remove anything, but it may show the hidden files.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.

Thanks
 
Last edited:
I did the "Kaspersky" and the HJT scans like you wanted.

But, first I want to update you on what you wanted me to delete "4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\fedoniko.dll

C:\WINDOWS\system32\cmd.execf

c:\windows\system32\vunazimu.dll

C:\WINDOWS\system32\vobuturi.dll

C:\WINDOWS\system32\keyutova.dll

c:\windows\system32\jayajuho.dll"

-the "cmd.execf, I got rid off (deleted)

-I could not find in the above process these three: "Vunazimu.dll", "Vobuturi.dll", and "Jayajuho.dll"

These two I found BUT COULD NOT DELETE..."Fedoniko.dll", and "Keyutova.dll"
When I tried to delete them both stated this message: "Can not delete fedoniko or keyutova: Access is denied" "Make sure the disk is not full or write-protected and that the file is not currently in use."


Here is the results to the "Kaspersky" and the HJT scans:

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 20:42:17
Records in database: 1377092


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 119644
Threat name 6
Infected objects 70
Suspicious objects 0
Duration of the scan 04:43:24

File name Threat name Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Jack Berry\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\WINDOWS\system32\l7vtgRIl.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1

E:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

E:\Documents and Settings\Jack Berry\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe Infected: not-a-virus:Downloader.Win32.ImLoader.g 1

E:\olddrivedata\jack\Local Settings\Temp\~347074.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~352740.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~368798.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~375387.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~376432.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~386889.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~387262.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~388596.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~391220.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~394118.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~398853.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~405523.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~405761.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~410112.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~411627.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~412371.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~413734.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~414141.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~414782.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~416868.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~429814.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~429837.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~435686.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~443502.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~446655.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~531206.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~537522.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~542897.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~556289.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~564668.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~567388.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~569032.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~610112.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~610619.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~625954.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~653116.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~660856.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~663843.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~672377.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~684737.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~688701.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~696014.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~705439.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~709776.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~723572.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~743155.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~748103.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~754210.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~757236.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~781181.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~791174.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~814048.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~842750.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~851219.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~855793.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~856115.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~861219.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~881529.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~891299.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~921074.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\olddrivedata\jack\Local Settings\Temp\~927816.tmp Infected: not-a-virus:AdWare.Win32.Wintol.c 1

E:\olddrivedata\jack\Local Settings\Temp\~950425.tmp Infected: not-a-virus:AdWare.Win32.Wintol.j 1

E:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g 1

The selected area was scanned.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:18:12, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Jack Berry\Local Settings\Temp\jkos-Jack Berry\binaries\ScanningProcess.exe
C:\Documents and Settings\Jack Berry\Local Settings\Temp\jkos-Jack Berry\binaries\ScanningProcess.exe
C:\WINDOWS\system32\l7vtgRIl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9e5a0163-4760-49df-8df4-70c55e0ca8ff} - C:\WINDOWS\system32\fedoniko.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172010222\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM2b9254ba] Rundll32.exe "c:\windows\system32\wevusavi.dll",a
O4 - HKLM\..\Run: [28a16726] rundll32.exe "C:\WINDOWS\system32\juzetoja.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [suvolakoji] Rundll32.exe "C:\WINDOWS\system32\vobuturi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JS...6/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\keyutova.dll c:\windows\system32\wevusavi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wevusavi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wevusavi.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11845 bytes
 
Thanks for the feedback, you said:
These two I found BUT COULD NOT DELETE..."Fedoniko.dll", and "Keyutova.dll"
Click to expand...
Understand that they are bad files, may be causing the problems and must be deleted before you will be clean. Did you consider deleting then in Safe Mode when they would not have been running? Let's move on and do this one step at a time to avoid any confusion. I would appreciate it if you keep me aware of the computer's performance each time you post.

Kaspersky Online Scan (KOS)

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\ <<< delete that folder in RED and contents

C:\Documents and Settings\Jack Berry\SmitfraudFix\ <<< delete that folder in RED and the contents

C:\WINDOWS\system32\l7vtgRIl.exe <<< delete that file, do it in safe mode if necessary (added this to Avenger script in case you have trouble with it)


E:\ drive?? Delete all files in RED

E:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe ------> AdWare.Win32.SearchIt.t 1

E:\Documents and Settings\Jack Berry\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe ------> Downloader.Win32.ImLoader.g 1

E:\Program Files\IncrediMail\bin\IncrediMail_Install.exe ------> Downloader.Win32.ImLoader.g 1

E:\olddrivedata\jack\Local Settings\Temp\ <<< delete everything in that folder in RED

Delete these files, do it in safe mode if need be, they must go.

C:\WINDOWS\system32\fedoniko.dll

C:\WINDOWS\system32\vobuturi.dll

c:\windows\system32\wevusavi.dll

C:\WINDOWS\system32\juzetoja.dll

C:\WINDOWS\system32\keyutova.dll

There are tools to help but you can't seem to run any of them. If you have trouble deleting those files, you can give this a try.

Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
The Avenger must be run from a user account with administrator privileges,
and ONLY works on Windows 2000 and XP, and only on 32-bit versions!

Copy all the text contained in the code box below to your Clipboard.

Code: 
Files to delete:
C:\WINDOWS\system32\fedoniko.dll
C:\WINDOWS\system32\vobuturi.dll
c:\windows\system32\wevusavi.dll
C:\WINDOWS\system32\juzetoja.dll
C:\WINDOWS\system32\keyutova.dll 
C:\WINDOWS\system32\l7vtgRIl.exe

The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of the file into your reply along with a fresh HJT log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

When you are finished, I need to see the results of a new KOS, the log file from Avenger and a new HJT log.

Thanks
 
The Avenger: the directions you pointed out for me to use for this software is not there:

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

I do not see any of these....When I start up Avenger I see a white box and above the box it says "Input Script here", under the white box to the right it says "Execute" and under the white box it says "Scan for rootkits" and that option is check marked, and it also says "Automatically disable any rootkits found" and that option is not checked marked........
 
Also, FYI: "fedoniko.dll" I was able to delete in safe mode.

"Vobuturi.dll" can not find that file

""Wevusavi.dll" I was in safe mode but I could still not delete it.

"juzetoja.dll" I was able to delete in safe mode

"Keyutova.dll" I was in safe mode but I could still not delete.

In addition, when I started up the computer 2 boxes came on right when it came to my desktop screen. The first one stated "Error Loading juzetoja.dll" and the other box stated "Error loading Vobuturi.dll" with an option of "ok" for me to get rid of the boxes.
 
Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) <<< it is therCopyright © Swandog46

http://swandog46.geekstogo.com/avenger.zip <<< there

http://swandog46.geekstogo.com/avenger.zip <<< there

all links work?

You have been able to run one tool out of all I provided and they are all routine tools that are used daily by many, many folks. I am beginning to believe the problem is not the tools. I am suggesting you ask someone with more computer experience to lend a hand or that you take the computer to qualified technician.

Thanks
 
Last edited:
I don't know how it is me when I am doing everything you instructed and the SmitFraudFix worked the first time but since then it is not allowing me to do so.

Do you know if someone else can take over my file before I give up and bring it to someone.

Also, the Avenger is opening up fine it is just not going to the screen that you are describing it is going to a different screen.
 
Anyone else would have the same problem getting the tools run that I am having. I suggest you take the computer to a local technician or reformat yourself if you can follow the instructions. Let's face facts, you could not even secure the computer in your own home.
Damn, family members went on the computer this morning, I hope this didnt screw up any progress we had so far
Click to expand...

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
 
Thanks for your concern about "my" computer but my computer is perfectly fine thank you. Never had a virus or spam. The computer I am trying to fix is my mothers computer.

Maybe someone else could help me get around this "rootkit infection" that you stated I might have and could be the reason those softwares you are sending me might not be working.
 
Status
Not open for further replies.
Back
Top