trojan.vundo

[jrdinohio]

Got a virus. Can't get rid of it. Downloaded "fixVundo" and also Vundobegone. Neither one worked. Both said they fixed the registry but as soon as I restart computer, virus is back. Can you help.

[jrdinohio]

My problem is now worse. I ran norton anti virus and it found 6 viruses..but still states it cannot delete or quarantine trojan.vundo. I try to run "fixVundo" and it makes norton put a virus alert on the screen which I cannot stop. It causes the processor to work constantly which slows my computer to snail pace. It took 45 minutes to get connected to this site..I have run HIjackthis. Here is the log file.

Logfile of HijackThis v1.99.1
Scan saved at 1:34:14 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Common Files\svchost.exe
C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\tfrubvep.dll",setvm
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: WebWorks Help 3.0 - file://D:\Doc\Documentation\WebDoc\wwhelp3.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173490143758
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincjf32 - C:\WINDOWS\SYSTEM32\wincjf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Can anyone help?

[jrdinohio]

Here is additional information..This is the file norton cannot delete and neither can I. It says access denied when I try to delete manually.

"The file C\Windows\system32\tfrubvep.dll is infected with the Trojan.Vundo virus."

[jrdinohio]

Well, I guess this is thanks for nothing. Still got my problem. According to the main page my post has has 25 "views" but 0 replies. I'll try and post on some other forum.

[tetonbob]

Sorry, jrdinohio -

As you can see, the forum is swamped. Sometimes replying to your own thread is an indication to helpers it's being handled already. Sometimes, views come from other members with similar issues trying to find a DIY fix. Hence, no posts.

If you still require assistance with this issue, and since it's been a few days since your last log, please do this:

Download ComboScan to your Desktop.Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - ComboScan.txt <- this one will be maximized and Supplementary.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
5. Please attach Supplementary.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\ComboScan\Supplementary.txt
   

3. Click Upload.

What ComboScan will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

[jrdinohio]

Thanks for answering. Things have gotten worse. Here is what is

happening.

First:

I downloaded Combo Scan

I ran it. It goes to Enumerating System Restore Points and I get

the following error

Autolt Error
Line 0 (File "C:\Documents and Settings\Jim Dodge\My Documents\New

Folder\comboscan.exe"):

Local $colRP = $objWMI.InstanceOf("SystemRestore")
Local $colRP = $objWMI^ERROR

Error variable must be of type "Object".


My only choice is the radio button "OK"

When I choose that, comboscan quits.

Second:

I now have Smitfraud-C.Toolbox888 and I can not get rid of it

either. Every time I run Spybot, it detects it, says it deletes it

but it comes back the very next time I access the Internet. I

downloaded Smitfraudfix but it doesn't clean it either.

Got a heck of a mess. Realize you must be quite busy and sorry for

venting my frustrations earlier. Been trying to get this computer

back for about three weeks now. Pretty frustrating because what

ever I have seems to take over the operating system and it takes

for ever to get a program to run. Took me almost 20 minutes to get

my browser to open.

Any help will be appreciated.

[tetonbob]

ComboScan has been superceded by Deckard's System Scanner.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

If for some reason DSS does not run to completion (but only if), post a new HijackThis log.

---------------------------------------------------------------------------------------------

Also, please do this:

If you have SmitfraudFix already....delete it.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

[jrdinohio]

Deckard's System Scanner v20070318.32
Run by Jim Dodge on 2007-03-26 at 17:04:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create System Restore WMI object; error code: 0x80040154
Performed disk cleanup.


-- HijackThis (run as Jim Dodge.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:09:59 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jim Dodge\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Jim Dodge.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C1477C48-8FB0-F460-F1AF-B2DEBDC208C0} - C:\WINDOWS\system32\rygg.dll (file missing)
O2 - BHO: (no name) - {DD3AB79A-BF46-4B54-8A47-FC6AB818AC42} - C:\WINDOWS\system32\cbxur.dll
O2 - BHO: (no name) - {E3D8E2D7-A44E-46C3-B042-679A98504BE5} - C:\WINDOWS\system32\rqrqnkk.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\avirqkjx.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: WebWorks Help 3.0 - file://D:\Doc\Documentation\WebDoc\wwhelp3.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173490143758
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: cbxur - C:\WINDOWS\system32\cbxur.dll
O20 - Winlogon Notify: rqrqnkk - C:\WINDOWS\SYSTEM32\rqrqnkk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincjf32 - C:\WINDOWS\SYSTEM32\wincjf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070311-162944-157 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20070311-162944-203 O2 - BHO: (no name) - {58FEFD53-F29E-1E0A-7642-041359EF49AA} - C:\WINDOWS\system32\jrvelvi.dll
backup-20070311-162944-456 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
backup-20070311-162944-623 O2 - BHO: (no name) - {941F2D1F-82E1-F763-F1AF-B2DEBDC20EC6} - C:\WINDOWS\system32\ytcrghf.dll (file missing)
backup-20070311-162944-863 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20070311-162944-890 O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\xkrxcqpy.dll (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 ADSEXPB (ADS DVD Xpress B) - c:\windows\system32\drivers\adsexpb.sys
3 AdWatchDrv (AW Realtime Driver) - c:\windows\system32\drivers\awrtpd.sys (file missing)
3 ALiIRDA (ALi Infrared Device Driver) - c:\windows\system32\drivers\aliirda.sys
3 allegro (ESS Allegro Audio Driver (WDM)) - c:\windows\system32\drivers\es198x.sys
3 atimpab - c:\windows\system32\drivers\atimpab.sys
3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\windows\system32\awindis5.sys
1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
3 BCM43XX (HP WLAN 54g W450 Network Adapter Driver) - c:\windows\system32\drivers\bcmwl5.sys
0 caboagp (ATI Cabo AGP Filter) - c:\windows\system32\drivers\atisgkaf.sys
3 CALIAUD (Conexant AMC 3D Environmental Audio) - c:\windows\system32\drivers\caliaud.sys
3 CALIHALA - c:\windows\system32\drivers\calihal.sys
2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
3 CE3 (Xircom Ethernet Adapter 10/100 Service) - c:\windows\system32\drivers\ce3n5.sys
3 DirectPort - c:\windows\system32\drivers\directport.sys
3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys
3 DP83815 (National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver) - c:\windows\system32\drivers\dp83815.sys
3 HPCI (HP Configuration Interface) - c:\windows\system32\drivers\hpci.sys
3 HSFHWALI - c:\windows\system32\drivers\hsfhwali.sys
3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
3 HSF_DPV - c:\windows\system32\drivers\hsf_dpv.sys
2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys
3 NETGEAR_WG511_SERVICE (NETGEAR WG511T Wireless Adapter Service) - c:\windows\system32\drivers\wg511nd5.sys
3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
3 wandrv (WAN Network Driver) - c:\windows\system32\drivers\wandrv.sys
3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys
3 WinPhlash - c:\swsetup\sp27050\phlashnt.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe
2 HPConfig (HP Configuration Interface Service) - c:\windows\system32\hpconfig.exe
2 HPWirelessMgr - c:\program files\hpq\notebook utilities\hpwirelessmgr.exe
2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe
3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-26 14:51:06 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB>
2006-02-14 11:57:00 324 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1131897237.job<FRUTAS~1.JOB>


-- Files created between 2007-02-26 and 2007-03-26 -----------------------------

2007-03-26 11:55:39 123972 --a------ C:\WINDOWS\system32\avirqkjx.dll
2007-03-26 11:51:39 1233962 ---hs---- C:\WINDOWS\system32\ruxbc.bak1<RUXBC~1.BAK>
2007-03-26 11:51:14 280676 ---hs---- C:\WINDOWS\system32\cbxur.dll
2007-03-26 11:51:13 280676 ---hs---- C:\WINDOWS\system32\ddayv.dll
2007-03-26 11:45:43 85504 --a------ C:\WINDOWS\system32\vzoiukc.dll
2007-03-26 11:45:22 26697 --a------ C:\WINDOWS\system32\rqrqnkk.dll
2007-03-26 08:53:26 2944 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-22 09:34:00 0 d-------- C:\Program Files\FolderShare<FOLDER~1>
2007-03-20 15:20:54 0 --a------ C:\Documents and Settings\Jim Dodge\tasklist
2007-03-13 07:58:20 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-03-13 07:58:18 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-03-13 07:58:16 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-03-13 07:57:38 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-03-13 07:57:38 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-03-13 07:56:49 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-03-13 07:56:49 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-03-13 07:56:17 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-03-13 07:01:42 81408 --a------ C:\WINDOWS\system32\bumyrkb.dll
2007-03-13 01:55:18 0 d-------- C:\Program Files\NoAdware5.0<NOADWA~1.0>
2007-03-11 21:14:55 319040 --a------ C:\WINDOWS\system32\drivers\wg511nd5.sys
2007-03-11 21:14:55 0 d-------- C:\Program Files\NETGEAR
2007-03-11 15:21:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-03-11 12:48:34 1126159 --ahs---- C:\WINDOWS\system32\xacdd.bak2<XACDD~2.BAK>
2007-03-10 20:46:51 80896 --a------ C:\WINDOWS\system32\xwxytz.dll
2007-03-10 12:51:29 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-10 12:46:00 1185932 --ahs---- C:\WINDOWS\system32\xacdd.bak1<XACDD~1.BAK>
2007-03-10 12:34:08 2 --a------ C:\WINDOWS\system32\wnstssu.exe
2007-03-10 12:33:42 0 d-------- C:\Program Files\Common Files\?asks
2007-03-10 12:31:33 80896 --a------ C:\WINDOWS\system32\jsdsibi.dll
2007-03-10 12:30:55 20480 --a------ C:\WINDOWS\system32\wincjf32.dll
2007-03-10 12:26:31 0 d-------- C:\Documents and Settings\All Users\Application Data\4D
2007-03-08 13:01:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-03-07 17:04:04 0 d-------- C:\Program Files\Mightyfax<MIGHTY~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-26 11:35:44 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~2>
2007-03-24 22:13:02 2213 --a------ C:\Documents and Settings\Jim Dodge\Application Data\BestModePatch_RubenMain.log<BESTMO~1.LOG>
2007-03-22 11:00:52 0 d-------- C:\Documents and Settings\Jim Dodge\Application Data\Adobe
2007-03-22 10:57:51 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-13 08:04:50 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-13 08:04:31 0 d-------- C:\Program Files\Symantec
2007-03-12 21:14:05 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-11 21:14:54 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-11 19:54:35 0 d---s---- C:\Documents and Settings\Jim Dodge\Application Data\Microsoft<MICROS~1>
2007-03-11 19:47:57 0 d-------- C:\Program Files\Lavasoft
2007-03-07 21:34:59 1793 --a------ C:\Documents and Settings\Jim Dodge\Application Data\HPCOM_48BitScanUpdate.log<HPCOM_~1.LOG>
2007-03-07 16:53:14 0 d-------- C:\Documents and Settings\Jim Dodge\Application Data\LimeWire
2007-02-17 00:57:46 10273 --a------ C:\WINDOWS\mozver.dat
2007-02-17 00:54:29 0 d-------- C:\Program Files\Java
2007-02-12 13:53:22 0 d-------- C:\Program Files\HealthMonitor<HEALTH~1>
2007-02-12 13:47:34 249856 -----n--- C:\WINDOWS\Setup1.exe
2007-02-12 13:46:44 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-02-07 00:10:32 0 d-------- C:\Program Files\PerfMon2x<PERFMO~1>
2007-02-01 11:04:10 0 d-------- C:\Program Files\Google
2007-02-01 10:51:03 0 d-------- C:\Program Files\MSBuild
2007-02-01 10:31:56 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-01-26 23:10:42 0 d-------- C:\Program Files\TimeLeft3<TIMELE~1>
2007-01-24 16:27:30 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll<XA3066~1.DLL>
2007-01-15 17:59:42 246864 --a------ C:\Documents and Settings\Jim Dodge\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-01-10 11:18:47 4 --a------ C:\WINDOWS\Pix11.dat
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 16:30:42 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll<X3DAUD~2.DLL>
2007-01-04 14:39:03 122880 --a------ C:\WINDOWS\system32\pdfmona.dll
2007-01-04 14:39:03 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll<PDF995~1.DLL>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SkinClock"="C:\\Program Files\\Free Desktop Clock\\DesktopClock.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QT4HPOT"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"Camera Detector"="C:\\PROGRA~1\\ACDSYS~1\\ACDSee\\CAMDET~1.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"CARPService"="carpserv.exe"
"AS00_Gear511"="C:\\Program Files\\NETGEAR\\WG511SCU\\Utility\\Gear511.exe -hide"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\avirqkjx.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0ACA16FE-1AB6-4CE2-A33C-A5DAC5B8F782}"=""
"{E3D8E2D7-A44E-46C3-B042-679A98504BE5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxur
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnkk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincjf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-03-26 at 17:13:01 ---------

Here is SMITFRAUD file

SmitFraudFix v2.157

Scan done at 17:22:34.51, Mon 03/26/2007
Run from C:\Documents and Settings\Jim Dodge\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim Dodge


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim Dodge\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JIMDOD~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download combofix from one of these locations:
   • http://www.techsupportforum.com/sect...s/ComboFix.exe
   • http://download.bleepingcomputer.com/sUBs/ComboFix.exe
   
   
   * IMPORTANT !!! Place it on your Desktop.
   
   
2. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
   

   "%userprofile%\desktop\combofix.exe" /v wincjf32 rqrqnkk cbxur vzoiukc ddayv avirqkjx ddcax rygg

3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0ACA16FE-1AB6-4CE2-A33C-A5DAC5B8F782}"=-
"{E3D8E2D7-A44E-46C3-B042-679A98504BE5}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Please go to: VirusTotal

• At the top of the page you'll find a "Browse" button. On the left of the Browse button is an empty box. Copy and paste the following into that box.
  
  C:\WINDOWS\system32\jsdsibi.dll
  
  
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Then repeat as above for the following files in BOLD:
  
  C:\WINDOWS\system32\bumyrkb.dll
• Once scanned, copy and paste the results in your next reply.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix (C:\ComboFix.txt)
VirusTotal scans
New HijackThis log

[jrdinohio]

I ran into big problems. Did exactly as directed. Downloaded combofix to desktop/ closed all browsers..copied line for run box and executed. Combo fix ran until it got to restart of windows. I got an error bos stated "Windows unable to run combofix.bat. While I was trying to decide what to do, windows restarted. At start up the error message came up again and it asked to try to find help on internet or if it should be opened by windows program. Didn't know what to do so I hit cancel. Then I get an error box which said "ERROR: RUNDLL" and it gave a file it was unable to run. Only choice was "OK" and when i did that, combofix terminated and no log was produced. Do I need to redo it or do it in a different way? Should I continue without the log? HELP

[tetonbob]

Ok, I see what we need to do.

I have attached a file to this post - batfileopen.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

Look for and delete C:\ComboFix folder

Then, run DSS once again, using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Tick Main Log, and File Associations.

Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.