Tech Support Forum - View Single Post - Need help removing "mm27nov[1].exe", and other

**Angelfire777** · 01-21-2008, 12:40 AM

Hi,

*Uninstall the items in bold if found:

Internet Explorer Secure Bar
Safety Alert 2006
Messenger Service

*A few optionals that I would recommend be uninstalled.

LimeWire 4.14.10
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

Viewpoint, Viewpoint Manager, Viewpoint Media Player
are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Delete the following folders if you uninstalled their corresponding programs:

C:\Program Files\Viewpoint
C:\Program Files\LimeWire
C:\Documents and Settings\Tomek\.limewire
________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {FC7FF7DC-C5F6-D3CA-D1F2-CD9E1FC437EB} - C:\WINDOWS\system32\iphttphl2.dll
O4 - HKLM\..\Run: [cjnr4r42986185] C:\WINDOWS\system32\cjnr4r42986185.exe
O4 - HKLM\..\Run: [nlkfev76087652] C:\WINDOWS\system32\nlkfev76087652.exe
O4 - HKLM\..\Run: [cjnr4r42192690] C:\WINDOWS\system32\cjnr4r42192690.exe
O4 - HKLM\..\Run: [cjnr4r43639770] C:\WINDOWS\system32\cjnr4r43639770.exe
O4 - HKLM\..\Run: [nlkfev72724542] C:\WINDOWS\system32\nlkfev72724542.exe
O4 - HKLM\..\Run: [cjnr4r476025] C:\WINDOWS\system32\cjnr4r476025.exe
O4 - HKLM\..\Run: [cjnr4r47663240] C:\WINDOWS\system32\cjnr4r47663240.exe
O4 - HKLM\..\Run: [cjnr4r41198495] C:\WINDOWS\system32\cjnr4r41198495.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dior4f43929931] C:\WINDOWS\system32\dior4f43929931.exe
O4 - HKLM\..\Run: [mlsdf8h3548229] C:\WINDOWS\system32\mlsdf8h3548229.exe
O4 - HKLM\..\Run: [cjnr4r42264435] C:\WINDOWS\system32\cjnr4r42264435.exe
O4 - HKLM\..\Run: [nlkfev79403662] C:\WINDOWS\system32\nlkfev79403662.exe
O4 - HKLM\..\Run: [cjnr4r42273260] C:\WINDOWS\system32\cjnr4r42273260.exe
O4 - HKLM\..\Run: [sklrr7y4712878] C:\WINDOWS\system32\sklrr7y4712878.exe
O4 - HKLM\..\Run: [dior4f47934371] C:\WINDOWS\system32\dior4f47934371.exe
O4 - HKLM\..\Run: [sklrr7y9546028] C:\WINDOWS\system32\sklrr7y9546028.exe
O4 - HKLM\..\Run: [nlkfev79015397] C:\WINDOWS\system32\nlkfev79015397.exe
O4 - HKLM\..\Run: [sklrr7y5688178] C:\WINDOWS\system32\sklrr7y5688178.exe
O4 - HKLM\..\Run: [sklrr7y2715978] C:\WINDOWS\system32\sklrr7y2715978.exe
O4 - HKLM\..\Run: [cjnr4r46193640] C:\WINDOWS\system32\cjnr4r46193640.exe
O4 - HKLM\..\Run: [nlkfev77533962] C:\WINDOWS\system32\nlkfev77533962.exe
O4 - HKLM\..\Run: [sklrr7y6312728] C:\WINDOWS\system32\sklrr7y6312728.exe
O4 - HKLM\..\Run: [cjnr4r43337735] C:\WINDOWS\system32\cjnr4r43337735.exe
O4 - HKLM\..\Run: [sklrr7y8168548] C:\WINDOWS\system32\sklrr7y8168548.exe
O4 - HKLM\..\Run: [sklrr7y1871983] C:\WINDOWS\system32\sklrr7y1871983.exe
O4 - HKLM\..\Run: [sklrr7y7508933] C:\WINDOWS\system32\sklrr7y7508933.exe
O4 - HKLM\..\Run: [nlkfev71825087] C:\WINDOWS\system32\nlkfev71825087.exe
O4 - HKLM\..\Run: [nlkfev73246982] C:\WINDOWS\system32\nlkfev73246982.exe
O4 - HKLM\..\Run: [dior4f47282931] C:\WINDOWS\system32\dior4f47282931.exe
O4 - HKLM\..\Run: [nlkfev75326202] C:\WINDOWS\system32\nlkfev75326202.exe
O4 - HKLM\..\Run: [mlsdf8h8887034] C:\WINDOWS\system32\mlsdf8h8887034.exe
O4 - HKLM\..\Run: [dior4f43695691] C:\WINDOWS\system32\dior4f43695691.exe
O4 - HKLM\..\Run: [nlkfev74649652] C:\WINDOWS\system32\nlkfev74649652.exe
O4 - HKLM\..\Run: [cjnr4r44112275] C:\WINDOWS\system32\cjnr4r44112275.exe
O4 - HKLM\..\Run: [sklrr7y2746243] C:\WINDOWS\system32\sklrr7y2746243.exe
O4 - HKLM\..\Run: [mlsdf8h1076759] C:\WINDOWS\system32\mlsdf8h1076759.exe
O4 - HKLM\..\Run: [cjnr4r43726670] C:\WINDOWS\system32\cjnr4r43726670.exe
O4 - HKLM\..\Run: [mlsdf8h2532124] C:\WINDOWS\system32\mlsdf8h2532124.exe
O4 - HKLM\..\Run: [cjnr4r44741090] C:\WINDOWS\system32\cjnr4r44741090.exe
O4 - HKLM\..\Run: [mlsdf8h7618944] C:\WINDOWS\system32\mlsdf8h7618944.exe
O4 - HKLM\..\Run: [mlsdf8h8742639] C:\WINDOWS\system32\mlsdf8h8742639.exe
O4 - HKLM\..\Run: [cjnr4r43416115] C:\WINDOWS\system32\cjnr4r43416115.exe
O4 - HKLM\..\Run: [cjnr4r47649280] C:\WINDOWS\system32\cjnr4r47649280.exe
O4 - HKLM\..\Run: [sklrr7y3730863] C:\WINDOWS\system32\sklrr7y3730863.exe
O4 - HKLM\..\Run: [cjnr4r43236485] C:\WINDOWS\system32\cjnr4r43236485.exe
O4 - HKLM\..\Run: [dior4f49385346] C:\WINDOWS\system32\dior4f49385346.exe
O4 - HKLM\..\Run: [sklrr7y6004428] C:\WINDOWS\system32\sklrr7y6004428.exe
O4 - HKLM\..\Run: [sklrr7y996773] C:\WINDOWS\system32\sklrr7y996773.exe
O4 - HKLM\..\Run: [sklrr7y1053608] C:\WINDOWS\system32\sklrr7y1053608.exe
O4 - HKLM\..\Run: [mlsdf8h7611949] C:\WINDOWS\system32\mlsdf8h7611949.exe
O4 - HKLM\..\Run: [cjnr4r497715] C:\WINDOWS\system32\cjnr4r497715.exe
O4 - HKLM\..\Run: [A2E1F63A] C:\WINDOWS\system32\nlkfev77134272.exe
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [Kernel32_sysdamper] C:\WINDOWS\system32\drivers\sysdamp.exe
O4 - HKLM\..\RunServices: [cjnr4r42986185] C:\WINDOWS\system32\cjnr4r42986185.exe
O4 - HKLM\..\RunServices: [nlkfev76087652] C:\WINDOWS\system32\nlkfev76087652.exe
O4 - HKLM\..\RunServices: [cjnr4r42192690] C:\WINDOWS\system32\cjnr4r42192690.exe
O4 - HKLM\..\RunServices: [cjnr4r43639770] C:\WINDOWS\system32\cjnr4r43639770.exe
O4 - HKLM\..\RunServices: [nlkfev72724542] C:\WINDOWS\system32\nlkfev72724542.exe
O4 - HKLM\..\RunServices: [cjnr4r476025] C:\WINDOWS\system32\cjnr4r476025.exe
O4 - HKLM\..\RunServices: [cjnr4r47663240] C:\WINDOWS\system32\cjnr4r47663240.exe
O4 - HKLM\..\RunServices: [cjnr4r41198495] C:\WINDOWS\system32\cjnr4r41198495.exe
O4 - HKLM\..\RunServices: [dior4f43929931] C:\WINDOWS\system32\dior4f43929931.exe
O4 - HKLM\..\RunServices: [mlsdf8h3548229] C:\WINDOWS\system32\mlsdf8h3548229.exe
O4 - HKLM\..\RunServices: [cjnr4r42264435] C:\WINDOWS\system32\cjnr4r42264435.exe
O4 - HKLM\..\RunServices: [nlkfev79403662] C:\WINDOWS\system32\nlkfev79403662.exe
O4 - HKLM\..\RunServices: [cjnr4r42273260] C:\WINDOWS\system32\cjnr4r42273260.exe
O4 - HKLM\..\RunServices: [sklrr7y4712878] C:\WINDOWS\system32\sklrr7y4712878.exe
O4 - HKLM\..\RunServices: [dior4f47934371] C:\WINDOWS\system32\dior4f47934371.exe
O4 - HKLM\..\RunServices: [sklrr7y9546028] C:\WINDOWS\system32\sklrr7y9546028.exe
O4 - HKLM\..\RunServices: [nlkfev79015397] C:\WINDOWS\system32\nlkfev79015397.exe
O4 - HKLM\..\RunServices: [sklrr7y5688178] C:\WINDOWS\system32\sklrr7y5688178.exe
O4 - HKLM\..\RunServices: [sklrr7y2715978] C:\WINDOWS\system32\sklrr7y2715978.exe
O4 - HKLM\..\RunServices: [cjnr4r46193640] C:\WINDOWS\system32\cjnr4r46193640.exe
O4 - HKLM\..\RunServices: [nlkfev77533962] C:\WINDOWS\system32\nlkfev77533962.exe
O4 - HKLM\..\RunServices: [sklrr7y6312728] C:\WINDOWS\system32\sklrr7y6312728.exe
O4 - HKLM\..\RunServices: [cjnr4r43337735] C:\WINDOWS\system32\cjnr4r43337735.exe
O4 - HKLM\..\RunServices: [sklrr7y8168548] C:\WINDOWS\system32\sklrr7y8168548.exe
O4 - HKLM\..\RunServices: [sklrr7y1871983] C:\WINDOWS\system32\sklrr7y1871983.exe
O4 - HKLM\..\RunServices: [sklrr7y7508933] C:\WINDOWS\system32\sklrr7y7508933.exe
O4 - HKLM\..\RunServices: [nlkfev71825087] C:\WINDOWS\system32\nlkfev71825087.exe
O4 - HKLM\..\RunServices: [nlkfev73246982] C:\WINDOWS\system32\nlkfev73246982.exe
O4 - HKLM\..\RunServices: [dior4f47282931] C:\WINDOWS\system32\dior4f47282931.exe
O4 - HKLM\..\RunServices: [nlkfev75326202] C:\WINDOWS\system32\nlkfev75326202.exe
O4 - HKLM\..\RunServices: [mlsdf8h8887034] C:\WINDOWS\system32\mlsdf8h8887034.exe
O4 - HKLM\..\RunServices: [dior4f43695691] C:\WINDOWS\system32\dior4f43695691.exe
O4 - HKLM\..\RunServices: [nlkfev74649652] C:\WINDOWS\system32\nlkfev74649652.exe
O4 - HKLM\..\RunServices: [cjnr4r44112275] C:\WINDOWS\system32\cjnr4r44112275.exe
O4 - HKLM\..\RunServices: [sklrr7y2746243] C:\WINDOWS\system32\sklrr7y2746243.exe
O4 - HKLM\..\RunServices: [mlsdf8h1076759] C:\WINDOWS\system32\mlsdf8h1076759.exe
O4 - HKLM\..\RunServices: [cjnr4r43726670] C:\WINDOWS\system32\cjnr4r43726670.exe
O4 - HKLM\..\RunServices: [mlsdf8h2532124] C:\WINDOWS\system32\mlsdf8h2532124.exe
O4 - HKLM\..\RunServices: [cjnr4r44741090] C:\WINDOWS\system32\cjnr4r44741090.exe
O4 - HKLM\..\RunServices: [mlsdf8h7618944] C:\WINDOWS\system32\mlsdf8h7618944.exe
O4 - HKLM\..\RunServices: [mlsdf8h8742639] C:\WINDOWS\system32\mlsdf8h8742639.exe
O4 - HKLM\..\RunServices: [cjnr4r43416115] C:\WINDOWS\system32\cjnr4r43416115.exe
O4 - HKLM\..\RunServices: [cjnr4r47649280] C:\WINDOWS\system32\cjnr4r47649280.exe
O4 - HKLM\..\RunServices: [sklrr7y3730863] C:\WINDOWS\system32\sklrr7y3730863.exe
O4 - HKLM\..\RunServices: [cjnr4r43236485] C:\WINDOWS\system32\cjnr4r43236485.exe
O4 - HKLM\..\RunServices: [dior4f49385346] C:\WINDOWS\system32\dior4f49385346.exe
O4 - HKLM\..\RunServices: [sklrr7y6004428] C:\WINDOWS\system32\sklrr7y6004428.exe
O4 - HKLM\..\RunServices: [sklrr7y996773] C:\WINDOWS\system32\sklrr7y996773.exe
O4 - HKLM\..\RunServices: [sklrr7y1053608] C:\WINDOWS\system32\sklrr7y1053608.exe
O4 - HKLM\..\RunServices: [mlsdf8h7611949] C:\WINDOWS\system32\mlsdf8h7611949.exe
O4 - HKLM\..\RunServices: [cjnr4r497715] C:\WINDOWS\system32\cjnr4r497715.exe
O4 - HKLM\..\RunServices: [A2E1F63A] C:\WINDOWS\system32\nlkfev77134272.exe

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.bat in the File name and save it to your desktop.

Code:

@echo off
if [%1]==[2B] goto 2B
copy /y %systemdrive%\SDFix\catchme.exe %windir%>nul
attrib -s -h -r %systemdrive%\SDFix\apps
copy /y %systemdrive%\SDFix\apps\swreg.exe %windir%>nul
copy /y %systemdrive%\SDFix\apps\swsc.exe %windir%>nul

for %%g in (
"C:\WINDOWS\system32\msnat.exe"
"C:\windows\winsysupd.exe"
"C:\WINDOWS\system32\httskm.exe"
"C:\WINDOWS\system32\sysdamp.exe"
"C:\WINDOWS\system32\iphttphl2.dll"
"C:\uxgq.exe"
"C:\WINDOWS\system32\xpdx.sys"
"C:\DOCUME~1\Tomek\LOCALS~1\Temp\laf9B.tmp"
) do (
catchme -k %%g
)>nul

for %%g in (
"C:\WINDOWS\system32\edcA17"
"C:\WINDOWS\system32\ardCo17"
"C:\Documents and Settings\All Users\Application Data\GLOBALDOG64CHIC"
"C:\DOCUME~1\User\APPLIC~1\antielse"
"C:\Program Files\webHancer"
"C:\Program Files\Video ActiveX Access"
) do (
rd /s/q %%g
)>nul

for %%g in (
"HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\04cg0ryk.dll"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64 CHIC FAST TRAY"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Biasheart"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsysupd"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent"
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\httskm"
) do (
swreg delete %%g /f
)>nul

swreg add "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices"
swreg add "hklm\software\microsoft\windows\currentversion\runonce" /v "Kill" /d ""%comspec%" /c %~s0 2B"
pause
"%systemdrive%\SDFix\apps\restartit!.exe" /reboot
exit
:2B
for %%g in (
"C:\WINDOWS\system32\msnat.exe"
"C:\windows\winsysupd.exe"
"C:\WINDOWS\system32\httskm.exe"
"C:\WINDOWS\system32\sysdamp.exe"
"C:\WINDOWS\system32\iphttphl2.dll"
"C:\uxgq.exe"
"C:\WINDOWS\system32\xpdx.sys"
"C:\DOCUME~1\Tomek\LOCALS~1\Temp\laf9B.tmp"
) do (
del /a/f/q %%g
)>nul

swsc stop xpdx>nul
swsc stop MSNAT>nul
swsc stop mp32>nul
swsc delete xpdx>nul
swsc delete MSNAT>nul
swsc delete mp32>nul

pause
exit

Locate Fix.bat on your Desktop and double-click on it.
_________

Download ATF Cleaner by Atribune

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please do an online scan with Kaspersky WebScanner

Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

fresh DSS main.txt log
kaspersky scan log

01-21-2008, 12:40 AM	#4 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,580 OS: Vista	Re: Need help removing "mm27nov[1].exe", and other Hi, Uninstall the items in bold* if found: Internet Explorer Secure Bar Safety Alert 2006 Messenger Service A few optionals that I would recommend be uninstalled. LimeWire 4.14.10* This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware. Click Start* > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found. Delete the following folders if you uninstalled their corresponding programs: C:\Program Files\Viewpoint C:\Program Files\LimeWire C:\Documents and Settings\Tomek\.limewire ________ Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold. O2 - BHO: (no name) - {FC7FF7DC-C5F6-D3CA-D1F2-CD9E1FC437EB} - C:\WINDOWS\system32\iphttphl2.dll O4 - HKLM\..\Run: [cjnr4r42986185] C:\WINDOWS\system32\cjnr4r42986185.exe O4 - HKLM\..\Run: [nlkfev76087652] C:\WINDOWS\system32\nlkfev76087652.exe O4 - HKLM\..\Run: [cjnr4r42192690] C:\WINDOWS\system32\cjnr4r42192690.exe O4 - HKLM\..\Run: [cjnr4r43639770] C:\WINDOWS\system32\cjnr4r43639770.exe O4 - HKLM\..\Run: [nlkfev72724542] C:\WINDOWS\system32\nlkfev72724542.exe O4 - HKLM\..\Run: [cjnr4r476025] C:\WINDOWS\system32\cjnr4r476025.exe O4 - HKLM\..\Run: [cjnr4r47663240] C:\WINDOWS\system32\cjnr4r47663240.exe O4 - HKLM\..\Run: [cjnr4r41198495] C:\WINDOWS\system32\cjnr4r41198495.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [dior4f43929931] C:\WINDOWS\system32\dior4f43929931.exe O4 - HKLM\..\Run: [mlsdf8h3548229] C:\WINDOWS\system32\mlsdf8h3548229.exe O4 - HKLM\..\Run: [cjnr4r42264435] C:\WINDOWS\system32\cjnr4r42264435.exe O4 - HKLM\..\Run: [nlkfev79403662] C:\WINDOWS\system32\nlkfev79403662.exe O4 - HKLM\..\Run: [cjnr4r42273260] C:\WINDOWS\system32\cjnr4r42273260.exe O4 - HKLM\..\Run: [sklrr7y4712878] C:\WINDOWS\system32\sklrr7y4712878.exe O4 - HKLM\..\Run: [dior4f47934371] C:\WINDOWS\system32\dior4f47934371.exe O4 - HKLM\..\Run: [sklrr7y9546028] C:\WINDOWS\system32\sklrr7y9546028.exe O4 - HKLM\..\Run: [nlkfev79015397] C:\WINDOWS\system32\nlkfev79015397.exe O4 - HKLM\..\Run: [sklrr7y5688178] C:\WINDOWS\system32\sklrr7y5688178.exe O4 - HKLM\..\Run: [sklrr7y2715978] C:\WINDOWS\system32\sklrr7y2715978.exe O4 - HKLM\..\Run: [cjnr4r46193640] C:\WINDOWS\system32\cjnr4r46193640.exe O4 - HKLM\..\Run: [nlkfev77533962] C:\WINDOWS\system32\nlkfev77533962.exe O4 - HKLM\..\Run: [sklrr7y6312728] C:\WINDOWS\system32\sklrr7y6312728.exe O4 - HKLM\..\Run: [cjnr4r43337735] C:\WINDOWS\system32\cjnr4r43337735.exe O4 - HKLM\..\Run: [sklrr7y8168548] C:\WINDOWS\system32\sklrr7y8168548.exe O4 - HKLM\..\Run: [sklrr7y1871983] C:\WINDOWS\system32\sklrr7y1871983.exe O4 - HKLM\..\Run: [sklrr7y7508933] C:\WINDOWS\system32\sklrr7y7508933.exe O4 - HKLM\..\Run: [nlkfev71825087] C:\WINDOWS\system32\nlkfev71825087.exe O4 - HKLM\..\Run: [nlkfev73246982] C:\WINDOWS\system32\nlkfev73246982.exe O4 - HKLM\..\Run: [dior4f47282931] C:\WINDOWS\system32\dior4f47282931.exe O4 - HKLM\..\Run: [nlkfev75326202] C:\WINDOWS\system32\nlkfev75326202.exe O4 - HKLM\..\Run: [mlsdf8h8887034] C:\WINDOWS\system32\mlsdf8h8887034.exe O4 - HKLM\..\Run: [dior4f43695691] C:\WINDOWS\system32\dior4f43695691.exe O4 - HKLM\..\Run: [nlkfev74649652] C:\WINDOWS\system32\nlkfev74649652.exe O4 - HKLM\..\Run: [cjnr4r44112275] C:\WINDOWS\system32\cjnr4r44112275.exe O4 - HKLM\..\Run: [sklrr7y2746243] C:\WINDOWS\system32\sklrr7y2746243.exe O4 - HKLM\..\Run: [mlsdf8h1076759] C:\WINDOWS\system32\mlsdf8h1076759.exe O4 - HKLM\..\Run: [cjnr4r43726670] C:\WINDOWS\system32\cjnr4r43726670.exe O4 - HKLM\..\Run: [mlsdf8h2532124] C:\WINDOWS\system32\mlsdf8h2532124.exe O4 - HKLM\..\Run: [cjnr4r44741090] C:\WINDOWS\system32\cjnr4r44741090.exe O4 - HKLM\..\Run: [mlsdf8h7618944] C:\WINDOWS\system32\mlsdf8h7618944.exe O4 - HKLM\..\Run: [mlsdf8h8742639] C:\WINDOWS\system32\mlsdf8h8742639.exe O4 - HKLM\..\Run: [cjnr4r43416115] C:\WINDOWS\system32\cjnr4r43416115.exe O4 - HKLM\..\Run: [cjnr4r47649280] C:\WINDOWS\system32\cjnr4r47649280.exe O4 - HKLM\..\Run: [sklrr7y3730863] C:\WINDOWS\system32\sklrr7y3730863.exe O4 - HKLM\..\Run: [cjnr4r43236485] C:\WINDOWS\system32\cjnr4r43236485.exe O4 - HKLM\..\Run: [dior4f49385346] C:\WINDOWS\system32\dior4f49385346.exe O4 - HKLM\..\Run: [sklrr7y6004428] C:\WINDOWS\system32\sklrr7y6004428.exe O4 - HKLM\..\Run: [sklrr7y996773] C:\WINDOWS\system32\sklrr7y996773.exe O4 - HKLM\..\Run: [sklrr7y1053608] C:\WINDOWS\system32\sklrr7y1053608.exe O4 - HKLM\..\Run: [mlsdf8h7611949] C:\WINDOWS\system32\mlsdf8h7611949.exe O4 - HKLM\..\Run: [cjnr4r497715] C:\WINDOWS\system32\cjnr4r497715.exe O4 - HKLM\..\Run: [A2E1F63A] C:\WINDOWS\system32\nlkfev77134272.exe O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe O4 - HKLM\..\Run: [Kernel32_sysdamper] C:\WINDOWS\system32\drivers\sysdamp.exe O4 - HKLM\..\RunServices: [cjnr4r42986185] C:\WINDOWS\system32\cjnr4r42986185.exe O4 - HKLM\..\RunServices: [nlkfev76087652] C:\WINDOWS\system32\nlkfev76087652.exe O4 - HKLM\..\RunServices: [cjnr4r42192690] C:\WINDOWS\system32\cjnr4r42192690.exe O4 - HKLM\..\RunServices: [cjnr4r43639770] C:\WINDOWS\system32\cjnr4r43639770.exe O4 - HKLM\..\RunServices: [nlkfev72724542] C:\WINDOWS\system32\nlkfev72724542.exe O4 - HKLM\..\RunServices: [cjnr4r476025] C:\WINDOWS\system32\cjnr4r476025.exe O4 - HKLM\..\RunServices: [cjnr4r47663240] C:\WINDOWS\system32\cjnr4r47663240.exe O4 - HKLM\..\RunServices: [cjnr4r41198495] C:\WINDOWS\system32\cjnr4r41198495.exe O4 - HKLM\..\RunServices: [dior4f43929931] C:\WINDOWS\system32\dior4f43929931.exe O4 - HKLM\..\RunServices: [mlsdf8h3548229] C:\WINDOWS\system32\mlsdf8h3548229.exe O4 - HKLM\..\RunServices: [cjnr4r42264435] C:\WINDOWS\system32\cjnr4r42264435.exe O4 - HKLM\..\RunServices: [nlkfev79403662] C:\WINDOWS\system32\nlkfev79403662.exe O4 - HKLM\..\RunServices: [cjnr4r42273260] C:\WINDOWS\system32\cjnr4r42273260.exe O4 - HKLM\..\RunServices: [sklrr7y4712878] C:\WINDOWS\system32\sklrr7y4712878.exe O4 - HKLM\..\RunServices: [dior4f47934371] C:\WINDOWS\system32\dior4f47934371.exe O4 - HKLM\..\RunServices: [sklrr7y9546028] C:\WINDOWS\system32\sklrr7y9546028.exe O4 - HKLM\..\RunServices: [nlkfev79015397] C:\WINDOWS\system32\nlkfev79015397.exe O4 - HKLM\..\RunServices: [sklrr7y5688178] C:\WINDOWS\system32\sklrr7y5688178.exe O4 - HKLM\..\RunServices: [sklrr7y2715978] C:\WINDOWS\system32\sklrr7y2715978.exe O4 - HKLM\..\RunServices: [cjnr4r46193640] C:\WINDOWS\system32\cjnr4r46193640.exe O4 - HKLM\..\RunServices: [nlkfev77533962] C:\WINDOWS\system32\nlkfev77533962.exe O4 - HKLM\..\RunServices: [sklrr7y6312728] C:\WINDOWS\system32\sklrr7y6312728.exe O4 - HKLM\..\RunServices: [cjnr4r43337735] C:\WINDOWS\system32\cjnr4r43337735.exe O4 - HKLM\..\RunServices: [sklrr7y8168548] C:\WINDOWS\system32\sklrr7y8168548.exe O4 - HKLM\..\RunServices: [sklrr7y1871983] C:\WINDOWS\system32\sklrr7y1871983.exe O4 - HKLM\..\RunServices: [sklrr7y7508933] C:\WINDOWS\system32\sklrr7y7508933.exe O4 - HKLM\..\RunServices: [nlkfev71825087] C:\WINDOWS\system32\nlkfev71825087.exe O4 - HKLM\..\RunServices: [nlkfev73246982] C:\WINDOWS\system32\nlkfev73246982.exe O4 - HKLM\..\RunServices: [dior4f47282931] C:\WINDOWS\system32\dior4f47282931.exe O4 - HKLM\..\RunServices: [nlkfev75326202] C:\WINDOWS\system32\nlkfev75326202.exe O4 - HKLM\..\RunServices: [mlsdf8h8887034] C:\WINDOWS\system32\mlsdf8h8887034.exe O4 - HKLM\..\RunServices: [dior4f43695691] C:\WINDOWS\system32\dior4f43695691.exe O4 - HKLM\..\RunServices: [nlkfev74649652] C:\WINDOWS\system32\nlkfev74649652.exe O4 - HKLM\..\RunServices: [cjnr4r44112275] C:\WINDOWS\system32\cjnr4r44112275.exe O4 - HKLM\..\RunServices: [sklrr7y2746243] C:\WINDOWS\system32\sklrr7y2746243.exe O4 - HKLM\..\RunServices: [mlsdf8h1076759] C:\WINDOWS\system32\mlsdf8h1076759.exe O4 - HKLM\..\RunServices: [cjnr4r43726670] C:\WINDOWS\system32\cjnr4r43726670.exe O4 - HKLM\..\RunServices: [mlsdf8h2532124] C:\WINDOWS\system32\mlsdf8h2532124.exe O4 - HKLM\..\RunServices: [cjnr4r44741090] C:\WINDOWS\system32\cjnr4r44741090.exe O4 - HKLM\..\RunServices: [mlsdf8h7618944] C:\WINDOWS\system32\mlsdf8h7618944.exe O4 - HKLM\..\RunServices: [mlsdf8h8742639] C:\WINDOWS\system32\mlsdf8h8742639.exe O4 - HKLM\..\RunServices: [cjnr4r43416115] C:\WINDOWS\system32\cjnr4r43416115.exe O4 - HKLM\..\RunServices: [cjnr4r47649280] C:\WINDOWS\system32\cjnr4r47649280.exe O4 - HKLM\..\RunServices: [sklrr7y3730863] C:\WINDOWS\system32\sklrr7y3730863.exe O4 - HKLM\..\RunServices: [cjnr4r43236485] C:\WINDOWS\system32\cjnr4r43236485.exe O4 - HKLM\..\RunServices: [dior4f49385346] C:\WINDOWS\system32\dior4f49385346.exe O4 - HKLM\..\RunServices: [sklrr7y6004428] C:\WINDOWS\system32\sklrr7y6004428.exe O4 - HKLM\..\RunServices: [sklrr7y996773] C:\WINDOWS\system32\sklrr7y996773.exe O4 - HKLM\..\RunServices: [sklrr7y1053608] C:\WINDOWS\system32\sklrr7y1053608.exe O4 - HKLM\..\RunServices: [mlsdf8h7611949] C:\WINDOWS\system32\mlsdf8h7611949.exe O4 - HKLM\..\RunServices: [cjnr4r497715] C:\WINDOWS\system32\cjnr4r497715.exe O4 - HKLM\..\RunServices: [A2E1F63A] C:\WINDOWS\system32\nlkfev77134272.exe Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis. ________ Open notepad. Copy and paste the text inside the Code Box below into Notepad Choose File > Save As and under "Save as type", choose "All Files". Type fix.bat in the File name and save it to your desktop. Code: @echo off if [%1]==[2B] goto 2B copy /y %systemdrive%\SDFix\catchme.exe %windir%>nul attrib -s -h -r %systemdrive%\SDFix\apps copy /y %systemdrive%\SDFix\apps\swreg.exe %windir%>nul copy /y %systemdrive%\SDFix\apps\swsc.exe %windir%>nul for %%g in ( "C:\WINDOWS\system32\msnat.exe" "C:\windows\winsysupd.exe" "C:\WINDOWS\system32\httskm.exe" "C:\WINDOWS\system32\sysdamp.exe" "C:\WINDOWS\system32\iphttphl2.dll" "C:\uxgq.exe" "C:\WINDOWS\system32\xpdx.sys" "C:\DOCUME~1\Tomek\LOCALS~1\Temp\laf9B.tmp" ) do ( catchme -k %%g )>nul for %%g in ( "C:\WINDOWS\system32\edcA17" "C:\WINDOWS\system32\ardCo17" "C:\Documents and Settings\All Users\Application Data\GLOBALDOG64CHIC" "C:\DOCUME~1\User\APPLIC~1\antielse" "C:\Program Files\webHancer" "C:\Program Files\Video ActiveX Access" ) do ( rd /s/q %%g )>nul for %%g in ( "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\04cg0ryk.dll" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64 CHIC FAST TRAY" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Biasheart" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsysupd" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent" "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\httskm" ) do ( swreg delete %%g /f )>nul swreg add "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices" swreg add "hklm\software\microsoft\windows\currentversion\runonce" /v "Kill" /d ""%comspec%" /c %~s0 2B" pause "%systemdrive%\SDFix\apps\restartit!.exe" /reboot exit :2B for %%g in ( "C:\WINDOWS\system32\msnat.exe" "C:\windows\winsysupd.exe" "C:\WINDOWS\system32\httskm.exe" "C:\WINDOWS\system32\sysdamp.exe" "C:\WINDOWS\system32\iphttphl2.dll" "C:\uxgq.exe" "C:\WINDOWS\system32\xpdx.sys" "C:\DOCUME~1\Tomek\LOCALS~1\Temp\laf9B.tmp" ) do ( del /a/f/q %%g )>nul swsc stop xpdx>nul swsc stop MSNAT>nul swsc stop mp32>nul swsc delete xpdx>nul swsc delete MSNAT>nul swsc delete mp32>nul pause exit Locate Fix.bat on your Desktop and double-click on it. _________ Download ATF Cleaner by Atribune Important: Make sure all your browsers are closed before running ATF Cleaner.. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose:Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE:If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Please do an online scan with Kaspersky WebScanner Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow. You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. On your next reply, please include a fresh DSS main.txt log kaspersky scan log __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. Last edited by Angelfire777; 01-21-2008 at 12:43 AM.