sonofaman

I recently downloaded something on limewire, and now I have the smitfraud-c spyware and several regs that cannot be deleted through adaware or spybot. I am running windows xp sp2. I have a problem where limewire and sharezaa open up on startup every time the machine is restarted. If I close them they seem to run again, I checked my startup items and I do not see anything related to limewire or sharezaa. When I turned off selective startup, it was almost impossible for me to make a hijack this log, but I managed to make one. I dont know if this is important, but an unknown program called 'batty2.exe" failed to execute before I made a scan with hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 10:59:37 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\win3211-1596204314.exe
C:\WINDOWS\TmlnZ2E\command.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\winupdate\winupdate.exe
C:\WINDOWS\system32\MrobeService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sys11-1596204314.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\thiselt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\ms046204314-159.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Common Files\{A0DBDAE6-0BB2-1033-1121-030527030001}\Update.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Common Files\rizr\rizrm.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\CMFibula\CMFibula.exe
C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\dude\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\limewire\limewire.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\shareaza\shareaza.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Alwil Software\Avast4\setup\avast01.setup
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\alkvl.exe
F2 - REG:system.ini: UserInit=userinit.exe,kgravrx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsm58.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ ] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ ] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win3211-1596204314] C:\WINDOWS\win3211-1596204314.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wjke5037] RUNDLL32.EXE w00409c0.dll,n 003e50340000000300409c0
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sys11-1596204314] C:\WINDOWS\sys11-1596204314.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [ms0604314-15962] C:\WINDOWS\ms0604314-15962.exe
O4 - HKLM\..\Run: [ms046204314-159] C:\WINDOWS\ms046204314-159.exe
O4 - HKLM\..\Run: [loaddr] c:\topaff.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_15.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_15.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-AIM 2.1\SimpLite-AIM.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [rizr] C:\Program Files\Common Files\rizr\rizrm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Startup: Adobe Gamma Loader.exe
O4 - Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Global Startup: m-trip Launcher.lnk = ?
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dnskperf.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmlnZ2E\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\system32\MrobeService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

src2206

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

src2206

Hello and welcome to TSF .

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

P2P - I see you have P2P softwares ( limewire and shareaza) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. As you are already aware how it is contributing to your current situation. This page will give you further information.


Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.
________________________________________________________

Please download Cleanup! and install it. You will use this later. Do not install if you are using the 64 bit version of windows.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.


Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!
_______________________________________________________________

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Command Service(cmdService)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on None of the above, just start the program. Now, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

cmdService

Click OK.
_________________________________________________________

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

CMFibula
winupdate
batty2
PSLister

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\alkvl.exe
F2 - REG:system.ini: UserInit=userinit.exe,kgravrx.exe
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsm58.dll
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win3211-1596204314] C:\WINDOWS\win3211-1596204314.exe
O4 - HKLM\..\Run: [wjke5037] RUNDLL32.EXE w00409c0.dll,n 003e50340000000300409c0
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [ms0604314-15962] C:\WINDOWS\ms0604314-15962.exe
O4 - HKLM\..\Run: [ms046204314-159] C:\WINDOWS\ms046204314-159.exe
O4 - HKLM\..\Run: [sys11-1596204314] C:\WINDOWS\sys11-1596204314.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [loaddr] c:\topaff.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_15.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_15.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [rizr] C:\Program Files\Common Files\rizr\rizrm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Global Startup: m-trip Launcher.lnk = ?
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dnskperf.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\nsm58.dll
C:\WINDOWS\Duce6.exe
C:\WINDOWS\win3211-1596204314.exe
C:\Program Files\winupdate
C:\WINDOWS\ms0604314-15962.exe
C:\WINDOWS\ms046204314-159.exe
C:\WINDOWS\sys11-1596204314.exe
C:\WINDOWS\thiselt.exe
c:\topaff.exe
c:\kybrdff_15.exe
c:\dfndrff_15.exe
C:\Program Files\Common Files\rizr
C:\Program Files\PSLister
C:\WINDOWS\system32\crunner
C:\Program Files\CMFibula
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
C:\WINDOWS\system32\ dnskperf.dll
C:\WINDOWS\TmlnZ2E
BattyRun2.dll - Find via Start>Search
_________________________________________________________

Cleanup!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.

Do not logoff or reboot when prompted.


Ewido

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

BFU

Please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

• Click Check Now and a "pop up" window will appear.*Please ensure that your pop up blocker doesn't block it*
• Enter your e-mail address, country, and state & click Scan Now *The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please provide the following logs with your next post:

Ewido
Panda Scan
HijackThis (A fresh one)

Please let me know about your systems overall behaviour .

sonofaman

Hi, thank you very much for helping me out so far, I am grateful. At the moment my computers performance is rather good, but ewido repeatedly picks up something called Downloader.Qoologic.bj Location C:\windows\system32\pjsrcuj.dll.The Ewido report is over 2 megabytes so I am unable to post it. Most of the infections are massive amounts of programs I do not remember buying or installing ever.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:50 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MrobeService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Secway\SimpLite-AIM 2.1\SimpLite-AIM.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\alkvl.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kgravrx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-AIM 2.1\SimpLite-AIM.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: m-trip Launcher.lnk = ?
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\system32\MrobeService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

Panda Scan

Incident Status Location

Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\pjsrcuj.dll
Spyware:spyware/surfsidekick Not disinfected c:\windows\system32\bk.exe
Adware:adware/cashsaver Not disinfected c:\windows\system32\CSUninstall.exe
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\dude\Desktop\Click to Find and Fix Errors.url
Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall6_98.exe
Adware:adware/popper Not disinfected c:\windows\offun.exe
Spyware:spyware/media-motor Not disinfected c:\windows\unstall.exe
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/ucontrol Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
Spyware:Spyware/SurfSideKick Not disinfected C:\backup\bk.exe
Adware:Adware/ActiveSearch Not disinfected C:\backup\deskbar3.exe
Adware:Adware/QoolAid Not disinfected C:\backup\dmonwv.dll_tobedeleted
Adware:Adware/DollarRevenue Not disinfected C:\backup\install.exe[²ÜÇ\nsProcess.dll]
Adware:Adware/Mytoolbar Not disinfected C:\backup\install.exe[MyToolBar.dll]
Adware:Adware/Mytoolbar Not disinfected C:\backup\install.exe[Activate.exe]
Adware:Adware/Mirar Not disinfected C:\backup\WinNB58.dll
Adware:Adware/2Z0o Not disinfected C:\bintheredunthat\inighdv.exe
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-44eba5ec-5877d365.class
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-3cfa0102-69cb6a12.class
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-35856335-363f00d4.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-35856335-363f00d4.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-35856335-363f00d4.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-35856335-363f00d4.zip[Installer.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-678c1b03-2457b084.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-678c1b03-2457b084.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-678c1b03-2457b084.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-678c1b03-2457b084.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-68d0d310-4d3bd429.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-68d0d310-4d3bd429.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-68d0d310-4d3bd429.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-68d0d310-4d3bd429.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-382afa65.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-382afa65.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-382afa65.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-382afa65.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\load35.jar-60a7c7e9-27beef14.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\load35.jar-60a7c7e9-27beef14.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\load35.jar-60a7c7e9-27beef14.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\load35.jar-60a7c7e9-27beef14.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-2ad2ba8f.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-2ad2ba8f.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-2ad2ba8f.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-2ad2ba8f.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv553.jar-2f3b9a41-65d1961d.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv553.jar-2f3b9a41-65d1961d.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv553.jar-2f3b9a41-65d1961d.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv553.jar-2f3b9a41-65d1961d.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[NudeBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[Worker.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[VerifierBug.class]
Virus:Trj/PdPinch.AD Disinfected C:\Documents and Settings\dude\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-36dd4358-59aff8df.zip[javautil.zip]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\dude\Cookies\dude@atwola[1].txt
Virus:Trj/Downloader.IWO Disinfected C:\Documents and Settings\dude\Desktop\Codecs\DV.MPEG4.Maker.v2.3.3.118.Cracked.WinALL-F4CG.ZIP[installer.exe]
Virus:Trj/Clicker.PY Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\Pc.mightymax.v9.0.12.rar[installer.exe]
Virus:Trj/Clicker.PY Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\Pc.mightymax.v9.0.12.rar[installer.exe][Adobe Gamma Loader.exe]
Potentially unwanted tool:Application/Zango Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\Setup.exe
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\Sony.Sound.Forge.7.0 + KeyGen + MP3.Plugin.2.0 + Patch.FR.zip[KEYGEN.exe]
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\z3ta + BEST VSTi SYNTH + KEYGEN.rar[RgcAudio.z3ta.Plus.DXi.VSTi.v1.40\KEYGEN.exe]
Potentially unwanted tool:Application/Zango Not disinfected C:\Documents and Settings\dude\Desktop\Codecs\ZangoInstaller.exe
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\dude\Desktop\EDM ****\Sony.Sound.Forge.7.0 + KeyGen + MP3.Plugin.2.0 + Patch.FR\KEYGEN.exe
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\dude\Desktop\EDM ****\z3ta + BEST VSTi SYNTH + KEYGEN\RgcAudio.z3ta.Plus.DXi.VSTi.v1.40\KEYGEN.exe
Adware:Adware/DigInk Not disinfected C:\Documents and Settings\dude\Desktop\TagASaurus.exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\dude\install.exe[²ÜÇ\nsProcess.dll]
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\dude\install.exe[MyToolBar.dll]
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\dude\install.exe[Activate.exe]

src2206

Welcome back sonofaman .

Please make a .zip archive of your Ewido report and upload it as an attachment with your next post.

___________________________________________________________

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

* Please disable your Antivirus' Script Blockers for they would interfere with combofix

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_________________________________________________________________

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

NewDotNet

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\alkvl.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kgravrx. exe

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\ alkvl.exe
C:\WINDOWS\SYSTEM32\ kgravrx. exe
c:\windows\system32\ CSUninstall.exe
c:\windows\system32\ WinNB58.dll
C:\Documents and Settings\dude\Desktop\ Click to Find and Fix Errors.url
c:\windows\ NDNuninstall6_98.exe
c:\windows\ offun.exe
c:\windows\ unstall.exe
C:\backup\ deskbar3.exe
C:\backup\ dmonwv.dll_tobedeleted
C:\backup\ install.exe <<If there is multiple instances of this file present in C:\backup folder, please delete them all.

C:\backup\ WinNB58.dll
C:\ bintheredunthat
C:\Documents and Settings\dude\Cookies\ dude@atwola[1].txt
C:\Documents and Settings\dude\Desktop\Codecs\ DV.MPEG4.Maker.v2.3.3 .118.Cracked.WinALL-F4CG.ZIP
C:\Documents and Settings\dude\Desktop\Codecs\ Pc.mightymax.v9.0.12. rar
C:\Documents and Settings\dude\Desktop\Codecs\ Setup.exe
C:\Documents and Settings\dude\Desktop\Codecs\ Sony.Sound.Forge.7.0 + KeyGen + MP3.Plugin.2.0 + Patch.FR.zip
C:\Documents and Settings\dude\Desktop\Codecs\ z3ta + BEST VSTi SYNTH + KEYGEN.rar
C:\Documents and Settings\dude\Desktop\Codecs\ ZangoInstaller.exe
C:\Documents and Settings\dude\Desktop\EDM ****\Sony.Sound.Forge.7.0 + KeyGen + MP3.Plugin.2.0 + Patch.FR\ KEYGEN.exe
C:\Documents and Settings\dude\Desktop\EDM ****\z3ta + BEST VSTi SYNTH + KEYGEN\RgcAudio.z3ta.Plus.DXi.VSTi.v1.40\ KEYGEN.exe
C:\Documents and Settings\dude\Desktop\ TagASaurus.exe
C:\Documents and Settings\dude\ install.exe<<If there is multiple instances of this file present in C:\backup folder, please delete them all.
_________________________________________________________________

Reboot your system in Normal Mode.

Please provide the following logs with your next post:

ComboFix Log
Ewido (as an attchment)

Please tell me about these two folders:
C:\backup\
C:\Documents and Settings\dude\Desktop\Codecs\- have you created them?

sonofaman

Thanks again for the quick replies. The backup folder is an old copy of my system32 folder from the windows root directory due to previous problems. I deleted it before I got to read the updated thread, so I hope that is not a problem. The codecs folder hold torrent files, so there is no doubt trouble lurks there. Here are the reports.

sonofaman

attachments

Attached Files

	ComboFix.txt (137.6 KB, 7 views)
	Report-Scan-20060904-123355.zip (121.9 KB, 5 views)

sonofaman

*bump*

src2206

No need to worry.

I'm on your case only. Please hold your breath a little longer .

src2206

Hello sonofaman .
Please follow the following steps very carefully and in the exact given order.

You will need to update Ewido to the latest definition files.

• Launch Ewido.
• On the main screen select the icon "Update" then select the "Update now" link.
• Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
• Select "Automatically generate report after every scan"
• Un-Select "Only if threats were found"
• Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

____________________________________________________________

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Please look carefully to the following list. Did you create these folders? If not, then please delete them.

C:\Documents and Settings\dude\Shared\_\
C:\My Shared Folder\
C:\Program Files\Shareaza\Downloads\_\
C:\Uploads\
________________________________________________________

Next go to Control Panel click Display>Desktop>Customize Desktop>Website.
Under the 'Web pages' box, delete everything present.
_______________________________________________________

Ewido

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Make sure to clean/disinfect/quarantine instead of ignore.

Restart in normal mode.

_______________________________________________________

Click on the zip file attached to this post to open and extract the file sonofaman to your desktop. Double click on the file sonofaman.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.
____________________________________________________________

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\QooBox\hnetwiz.dll.qoo
• Click on the submit button
  
• Please post the results in your next reply along with the Ewido Log.

Try to paste the log of ewido this time, if you can not, only then attach it as a .zip file as earlier.

Attached Files

sonofaman.zip (473 Bytes, 1 views)

sonofaman

Sorry about the delayed response, I went on a little vacation. Anyways the ewido report is once again too large, and I think I forgot to empty the recycle bin as administrator in safe mode. Here is the Jotti results
Service load: 0% 100%

File: hnetwiz.dll.qoo
Status: OK
MD5 23db78f7dc2d27005b3aed4604611a5c
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Statistics
Last file scanned at least one scanner reported something about: uedit_keygen.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir Heur.Win32
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet PossibleThreat!02733
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Suspicious_U.gen
UNA X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Attached Files

ewido report.zip (43.1 KB, 3 views)

src2206

Hello sonofaman.

Please download the attached file 'sonofaman2.zip', unzip and save it to your desktop. Run this file.

Next,
Using Internet Explorer, visit F-Secure Online Scanner - http://support.f-secure.com/enu/home/ols3.shtml
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

• Then click the F-Secure Online Scanner Next Generation Beta link.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Now run combofix again and post the report here with your next reply, along with F-secure online scan report and a Fresh HJT Log.

Attached Files

sonofaman2.zip (992 Bytes, 1 views)