help!! HKsRv dll pop up plus more :(

Hopperonfire · 08-04-2006, 04:43 AM

help i keep getting these hksrv dill pop ups. they come in a little box with HKSRV for the title then just crap and underneath and a ok button, they keep coming up at least 20 times a minute,
i also get spyware removal wizard pop up telline me to see if my computer infected.

i scanned using ad aware and search and destory that worked a lot computers running faster and taskmanger is no longer disabled.
tried scanning online but window firewall wont let me download active x.
tried changing the settings of the firewall but it want let me open it. just says"to unidentified problem, windows cannot display firewall settings".
also computer just crashes now and again.

well i hope you can help here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 00:33:44, on 03/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\aspi22588.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\system32\1c9533f4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgdec.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [1c9533f4.exe] C:\WINDOWS\system32\1c9533f4.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: infoitss.dll lzexkbdu.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: hgdec - C:\WINDOWS\SYSTEM32\hgdec.dll
O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll
O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll
O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll
O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

thanks alot

Hopperonfire · 08-04-2006, 04:49 PM

Bump!

tetonbob · 08-05-2006, 02:27 PM

1. Download this file::

http://download.bleepingcomputer.com/sUBs/combofix.exe

* IMPORTANT !!! Place it on your Desktop.

2. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v hgdec msstkbdd

3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Hopperonfire · 08-06-2006, 02:30 AM

Start Time= 06-08-06 9:20:54.28
Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\

No infected files found
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\windows

((((((((((((((((((((((((((((((( Files Created from 2006-07-06 to 2006-08-06 ))))))))))))))))))))))))))))))))))

2006-08-04 23:29 156,160 C:\WINDOWS\system32\mswmmqce.dll
2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-04 23:28 57,344 C:\WINDOWS\system32\rsmpmcis.dll
2006-08-04 23:28 5,862 C:\clean.bat
2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-04 23:28 36,352 C:\WINDOWS\system32\shmecmse.dll
2006-08-04 23:28 25,088 C:\WINDOWS\system32\ciaddavc.dll
2006-08-04 23:28 20,525 C:\WINDOWS\system32\tapidpus.exe
2006-08-04 23:18 199,806,976 C:\hiberfil.sys
2006-08-03 09:06 409,417 C:\WINDOWS\system32\ggjlm.bak1
2006-08-03 09:05 573,492 C:\WINDOWS\system32\mljgg.dll
2006-08-02 19:31 7,680 C:\WINDOWS\comdlg66.dll
2006-08-02 19:02 5,744 C:\WINDOWS\system32\testtestt.exe
2006-08-02 15:28 37,376 C:\WINDOWS\system32\aspi22588.exe
2006-08-02 15:28 11,187 C:\WINDOWS\system32\clcbt.exe
2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll
2006-08-02 15:18 143,360 C:\WINDOWS\ms059333253362006.exe
2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-06 09:12 7680 --a------ C:\WINDOWS\comdlg66.dll
2006-08-04 23:29 156160 --ah----- C:\WINDOWS\system32\mswmmqce.dll
2006-08-04 23:28 57344 --ah----- C:\WINDOWS\system32\rsmpmcis.dll
2006-08-04 23:28 36352 --ah----- C:\WINDOWS\system32\shmecmse.dll
2006-08-04 23:28 25088 --ah----- C:\WINDOWS\system32\ciaddavc.dll
2006-08-04 23:28 20525 --ah----- C:\WINDOWS\system32\tapidpus.exe
2006-08-04 23:28 ------- d-------- C:\Program Files\HaxFix
2006-08-03 09:06 409417 ---hs---- C:\WINDOWS\system32\ggjlm.bak1
2006-08-03 09:05 573492 ---hs---- C:\WINDOWS\system32\mljgg.dll
2006-08-02 21:13 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-08-02 20:52 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2006-08-02 20:43 0 --a------ C:\Documents and Settings\Paul\Application Data\Install.dat
2006-08-02 19:43 ------- d-------- C:\Program Files\Lavasoft
2006-08-02 19:43 ------- d-------- C:\Documents and Settings\Paul\Application Data\Lavasoft
2006-08-02 19:02 5744 --a------ C:\WINDOWS\system32\testtestt.exe
2006-08-02 17:09 5862 --a------ C:\clean.bat
2006-08-02 15:28 37376 --a------ C:\WINDOWS\system32\aspi22588.exe
2006-08-02 15:27 11187 --a------ C:\WINDOWS\system32\clcbt.exe
2006-08-02 15:26 94208 --a------ C:\WINDOWS\system32\pisia32.dll
2006-08-02 15:18 143360 --a------ C:\WINDOWS\ms059333253362006.exe
2006-08-02 14:16 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-02 14:13 ------- d--h----- C:\Program Files\BHO Plugin
2006-06-19 14:03 ------- d-------- C:\Documents and Settings\Paul\Application Data\Sun
2006-05-12 02:33 73736 --a------ C:\WINDOWS\system32\_winsys00.dll
2006-05-08 15:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"POINTER"="point32.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"1c9533f4.exe"="C:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\1c9533f4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder

Completion time: 06-08-06 9:25:46.23
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix2.txt
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 09:29, on 06-08-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\aspi22588.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kazaa Lite\clean.kmd
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll infoitss.dll lzexkbdu.dll
O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

thanks for taking the time.

tetonbob · 08-06-2006, 09:23 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

combofix was not run from the desktop, and it may have altered it's effectiveness.

Quote:

* IMPORTANT !!! Place it on your Desktop.

Quote:

Start Time= 06-08-06 9:20:54.28
Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please submit the following file to Jotti File Scan

C:\WINDOWS\system32\pisia32.dll

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop aspi113210
sc delete aspi113210
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll infoitss.dll lzexkbdu.dll
O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------

Delete the following:

C:\WINDOWS\comdlg66.dll
C:\WINDOWS\system32\2240_28.dll
C:\WINDOWS\system32\aspi22588.exe
C:\WINDOWS\system32\mswmmqce.dll
C:\WINDOWS\system32\rsmpmcis.dll
C:\WINDOWS\system32\shmecmse.dll
C:\WINDOWS\system32\ciaddavc.dll
C:\WINDOWS\system32\tapidpus.exe
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\testtestt.exe
C:\WINDOWS\system32\clcbt.exe
C:\WINDOWS\ms059333253362006.exe

Find these via Start>Search:

infoitss.dll
lzexkbdu.dll

---------------------------------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Ewido
Panda
HJT

Hopperonfire · 08-07-2006, 04:24 AM

i did what you said but it wont let me delete these
:\WINDOWS\system32\mswmmqce.dll
C:\WINDOWS\system32\rsmpmcis.dll
C:\WINDOWS\system32\shmecmse.dll
C:\WINDOWS\system32\ciaddavc.dll
:\WINDOWS\system32\mljgg.dll

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:59 06-08-07

+ Scan result:

C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077838.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077839.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0024.CHK -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0076764.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0076788.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078864.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073774.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078870.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077836.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077837.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0079910.DLL -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079966.DLL -> Backdoor.Agent.adr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081130.exe -> Backdoor.Rbot.ben : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072734.exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073734.exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ymfc27gv.default\Cache\71F545FEd01 -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0004.CHK -> Downloader.Agent.hy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077834.exe -> Downloader.Agent.hy : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\nidyqyd.dll.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0029.CHK -> Downloader.Small.ctk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072754.exe -> Downloader.Small.ctk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073753.exe -> Downloader.Small.ctk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073789.exe -> Downloader.Small.ctk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078866.exe -> Downloader.Small.ctk : Cleaned with backup (quarantined).
C:\Documents and Settings\Paul\Desktop\New Folder\backups\backup-20060802-192659-482.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0076784.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0020.CHK -> Downloader.Small.cvs : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0016.CHK -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078868.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081132.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078859.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078857.exe -> Downloader.Small.dht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078858.exe -> Downloader.Small.dht : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0017.CHK -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072752.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073754.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073787.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077840.exe -> Downloader.Small.dic : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0023.CHK -> Downloader.Small.dkb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077842.exe -> Downloader.Small.dkb : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0007.CHK -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072748.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073749.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073784.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078869.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078860.exe -> Downloader.Tibs.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078863.exe -> Downloader.Tibs.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP231\A0080026.exe -> Downloader.Tibs.gc : Cleaned with backup (quarantined).
C:\t.inx -> Downloader.Tibs.gc : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0026.CHK -> Downloader.Tiny.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072751.exe -> Downloader.Tiny.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073750.exe -> Downloader.Tiny.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077843.exe -> Downloader.Tiny.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081134.exe -> Downloader.VB.aga : Cleaned with backup (quarantined).
C:\WINDOWS\unin101.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0010.CHK -> Dropper.Agent.asr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0076776.exe -> Dropper.VB.kk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0076795.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078890.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\BHO Plugin\plugin.dll -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072742.dll -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073771.dll -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077844.exe -> Logger.Mxsender.f : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hksrv.dll -> Logger.Mxsender.f : Cleaned with backup (quarantined).
C:\WINDOWS\system32\prsvc.exe -> Logger.Mxsender.f : Cleaned with backup (quarantined).
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ymfc27gv.default\Cache\B23E4567d01 -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079916.DLL -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\snapshot\MFEX-1.DAT -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073772.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0074768.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077835.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077845.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077852.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078854.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078855.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078865.EXE -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078892.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0079889.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0079897.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0079905.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079923.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079940.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079959.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079971.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP231\A0079984.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP231\A0079990.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP231\A0080008.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP231\A0080062.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0080077.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081071.DLL -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081077.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081121.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081129.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP232\A0081133.exe -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0008.CHK -> Proxy.Xorpix.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072750.exe -> Proxy.Xorpix.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073748.exe -> Proxy.Xorpix.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073785.exe -> Proxy.Xorpix.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078867.exe -> Proxy.Xorpix.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0078872.exe -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP230\A0079949.DLL -> Trojan.Opnis.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072749.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072753.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0072755.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073751.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073752.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073755.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073786.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0073788.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077841.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0077846.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7393D767-1F47-4FDC-85DC-79E4125CCEE2}\RP229\A0079909.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).

::Report end

the panda one

Incident Status Location

Spyware:spyware/media-motor Not disinfected Windows Registry
Spyware:Cookie/Casalemedia Not disinfected C:\FOUND.001\FILE0001.CHK
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-224824.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-224825.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234839.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234840.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234841.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234842.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234843.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234844.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234845.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060802-234846.backup
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_ehhh.exe
Spyware:Cookie/YieldManager Not disinfected C:\FOUND.005\FILE0266.CHK
Spyware:Cookie/2o7 Not disinfected C:\FOUND.006\FILE0001.CHK
Virus:Trj/RootkitDrop.B Disinfected C:\FOUND.012\FILE0001.CHK
Adware:Adware/SystemDoctor Not disinfected C:\FOUND.013\FILE0000.CHK
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0011.CHK[²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0014.CHK
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0018.CHK[²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0018.CHK[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\FOUND.013\FILE0018.CHK[¦&&\Windows\WinUpdate.exe]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\FOUND.013\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0019.CHK[²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0019.CHK[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\FOUND.013\FILE0019.CHK[¦&&\Windows\WinUpdate.exe]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\FOUND.013\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0027.CHK
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0032.CHK[²ÜÇ\System.dll]
Adware:Adware/DollarRevenue Not disinfected C:\FOUND.013\FILE0032.CHK[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\FOUND.013\FILE0032.CHK[²ªÇ]
Spyware:Cookie/WUpd Not disinfected C:\FOUND.015\FILE0000.CHK
Spyware:Cookie/DriveCleaner Not disinfected C:\FOUND.015\FILE0004.CHK
Spyware:Cookie/DriveCleaner Not disinfected C:\FOUND.015\FILE0009.CHK
Spyware:Cookie/Searchportal Not disinfected C:\FOUND.015\FILE0019.CHK
Logfile of HijackThis v1.99.1
Scan saved at 11:20, on 06-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mswmmqce.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing)
O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll (file missing)
O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

thanks the excellent advice and help

tetonbob · 08-07-2006, 09:40 AM

I still need the results from the jotti scan, please. I see I forgot to ask for it in the last post. Instructions in Post #5.

---------------------------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing)
O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll (file missing)
O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing)

---------------------------------------------------------------------------------------------

Download Pocket Killbox and unzip the exe file to your desktop.

Launch KillBox.exe & select the following options:

delete on Reboot

All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\WINDOWS\uni_ehhh.exe
C:\WINDOWS\system32\mswmmqce.dll
C:\WINDOWS\system32\rsmpmcis.dll
C:\WINDOWS\system32\shmecmse.dll
C:\WINDOWS\system32\ciaddavc.dll
C:\WINDOWS\system32\mljgg.dll
C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
C:\WINDOWS\system32\clcbt.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

---------------------------------------------------------------------------------------------

Once the machine has rebooted, please do this:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Also post a new HijackThis log.

So I need results from:

Jotti scan
DrWeb
SmitfraudFix
HijackThis

Hopperonfire · 08-08-2006, 02:17 AM

jotti scan

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

dr web

FILE0011.CHK;C:\FOUND.013;Trojan.DownLoader.10320;Incurable.Moved.;
FILE0018.CHK;C:\FOUND.013;Trojan.DownLoader.9894;Incurable.Moved.;
FILE0019.CHK;C:\FOUND.013;Trojan.DownLoader.9894;Incurable.Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
FILE0027.CHK;C:\FOUND.013;Tool.ProcessKill;Moved.;
dfcpr.dll;C:\WINDOWS\system32;Probably UPX;Incurable.Moved.;
fwRemoteCfg.dll;C:\Program Files\Common Files\FTL Shared;Probably DLOADER.Trojan;Incurable.Moved.;
FILE0000.CHK;C:\FOUND.013;Trojan.DownLoader.based;Deleted.;

SmitFraudFix v2.81

Scan done at 9:01:42.34, 06-08-08
Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Paul\Application Data

C:\Documents and Settings\Paul\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAUL\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 09:15, on 06-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

thanks again

tetonbob · 08-08-2006, 08:34 AM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Download Host.zip to your desktop.
From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
Click Next, click Next, select the option:
"Show Extracted files", click Finish
This will open the newly created hosts folder on your Desktop.
Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.

---------------------------------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\FOUND.001\FILE0001.CHK
C:\FOUND.005\FILE0266.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.013\FILE0014.CHK
C:\FOUND.013\FILE0032.CHK
C:\FOUND.015\FILE0000.CHK
C:\FOUND.015\FILE0004.CHK
C:\FOUND.015\FILE0009.CHK
C:\FOUND.015\FILE0019.CHK

---------------------------------------------------------------------------------------------

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Once back in normal mode:

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply.

---------------------------------------------------------------------------------------------

Run combofix once again, and post it's log.

Also post a new HJT log.

---------------------------------------------------------------------------------------------

So, please provide results from:

SmitfraudFix
Online scan
combofix
HJT

Hopperonfire · 08-08-2006, 03:18 PM

ijackThis v1.99.1
Scan saved at 22:12, on 06-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
8 22:07:26.89
Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\

((((((((((((((((((((((((((((((( Files Created from 2006-07-08 to 2006-08-08 ))))))))))))))))))))))))))))))))))

2006-08-08 20:19 199,806,976 C:\hiberfil.sys
2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe
2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-07 21:46 112,259 C:\WINDOWS\system32\mswmmqce.exe
2006-08-07 17:21 1,176 C:\WINDOWS\system32\ggjlm.ini2
2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-06 21:56 469,997 C:\WINDOWS\system32\ggjlm.bak2
2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-04 23:28 5,862 C:\clean.bat
2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-03 09:05 573,492 C:\WINDOWS\system32\mljgg.dll
2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll
2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-08 21:38 469997 ---hs---- C:\WINDOWS\system32\ggjlm.bak2
2006-08-08 01:04 ------- d-------- C:\Program Files\Alwil Software
2006-08-07 21:46 112259 --ah----- C:\WINDOWS\system32\mswmmqce.exe
2006-08-07 18:14 1176 ---hs---- C:\WINDOWS\system32\ggjlm.ini2
2006-08-06 22:38 ------- d-------- C:\Program Files\CleanUp!
2006-08-06 22:29 ------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-04 23:28 ------- d-------- C:\Program Files\HaxFix
2006-08-03 09:05 573492 --------- C:\WINDOWS\system32\mljgg.dll
2006-08-02 21:13 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-08-02 20:52 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2006-08-02 19:43 ------- d-------- C:\Program Files\Lavasoft
2006-08-02 19:43 ------- d-------- C:\Documents and Settings\Paul\Application Data\Lavasoft
2006-08-02 17:09 5862 --a------ C:\clean.bat
2006-08-02 15:26 94208 --a------ C:\WINDOWS\system32\pisia32.dll
2006-08-02 14:16 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-02 14:13 ------- d--h----- C:\Program Files\BHO Plugin
2006-06-19 14:03 ------- d-------- C:\Documents and Settings\Paul\Application Data\Sun
2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe
2006-05-12 02:33 73736 --a------ C:\WINDOWS\system32\_winsys00.dll
2006-05-08 15:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"POINTER"="point32.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder

Completion time: 06-08-08 22:09:48.87
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix2.txt
ComboFix3.txt
ComboFix.txt

online scan

Scan report generated at: Tue, Aug 08, 2006 - 21:59:59

Scan path: A:\;C:\;D:\;E:\;

Statistics

Time

01:21:04

Files

173874

Folders

2408

Boot Sectors

2

Archives

1496

Packed Files

15941

Results

Identified Viruses

5

Infected Files

8

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

9

Engines Info

Virus Definitions

443349

Engine build

AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins

13

Archive plugins

39

Unpack plugins

5

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt

Infected with: Generic.Qhost.6A8C1AED

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt

Deleted

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt

Infected with: Generic.Qhost.00EDC811

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt

Deleted

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)

Infected with: Trojan.Downloader.Agent.AOE

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)

Disinfection failed

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)

Deleted

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK

Update failed

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)

Infected with: Trojan.Spy.Mxsender.F

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)

Disinfection failed

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)

Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)

Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)

Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)

Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat

Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)

Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)

Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)

Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat

Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)

Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)

Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)

Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat

Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)

Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)

Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)

Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat

Update failed

SmitFraudFix v2.81

Scan done at 20:09:39.75, 06-08-08
Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\Paul\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

»»»»»»»»»»»»»»»»»»»»»»»» End

keep up the good work

tetonbob · 08-08-2006, 07:41 PM

Thanks....this should take care of the rest of the items remaining....

I have attached a file to this post - paul.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

-----------------------------------------------------------------------

Double click on HijackThis.exe to run it.
Click on Open the Misc Tools section
click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINDOWS\system32\ggjlm.bak2
When you have selected the file, Click the "Open" Button
Click Click No at the next prompt
Do that for the following files also.

C:\WINDOWS\system32\mswmmqce.exe

C:\WINDOWS\system32\ggjlm.ini2

C:\WINDOWS\system32\mljgg.dll
When you get to the last one, click Yes when HJT asks you to reboot.

-----------------------------------------------------------------------

It's very important for you to move combofix from a temp location. It needs to be placed on the desktop. Once you've placed it on the desktop, please run it once again, and post the log.

-----------------------------------------------------------------------

Also post a new HJT log.

How is your system behaving now please?

Hopperonfire · 08-09-2006, 12:26 PM

i did what you said but when it came to the hjt bit i clicked the button delete on reboot and hjt just closes.

combofix is on my desk to and as always been there :-S any ideas,

computers running okay no pop ups or anything

tetonbob · 08-09-2006, 08:29 PM

Please rename HijackThis.exe to HJT.exe and then see if you can perform the delete on reboot functions.

Please post a new HJT log with the renamed version, regardless of if that works or not.

Hopperonfire · 08-10-2006, 04:41 AM

once i renamed it it did the delete on reboot your the log
after the reboot

Logfile of HijackThis v1.99.1

Scan saved at 11:36, on 06-08-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
O2 - BHO: (no name) - {4A028D9D-F016-4BDA-9DA9-FBA1B98957C0} -

C:\WINDOWS\system32\mljgg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL

Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL

Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program

Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL

9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All

Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll
O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll (file

missing)
O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\system32\mswmmqce.dll (file

missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE

thanks

tetonbob · 08-10-2006, 08:39 PM

Please delete the current version of combofix you have. Also look for a folder C:\sUBs and delete it if found.

You still have an active Vundo infection, and a new bad guy has shown up to the party.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt at the end of this fix.

Launch KillBox.exe & select the following options:

delete on Reboot

All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\Documents and Settings\AllUsers\Documents\Settings\artm_new.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\AllUsers\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll (file missing)
O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\system32\mswmmqce.dll (file missing)

---------------------------------------------------------------------------------------------

Post back the vundo log and a new HJT log.

Hopperonfire · 08-11-2006, 12:31 PM

i deleted combofix

and the subs folder.

i ran killbox deleted the file you said but it asked me to reboot now i clicked yes then the count down began then a error box came up
saying peding file name operators registory has been moved by exteranal process then i clicked ok, i rebooted anyway.

vundofix didnt find anything

you is the log file from hjt
Logfile of HijackThis v1.99.1
Scan saved at 19:29, on 06-08-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {94EC983D-583A-4954-96A5-A784511C4093} - C:\WINDOWS\system32\mljgg.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Ried · 08-12-2006, 09:51 AM

Hello Hopperonfire,

As tetonbob's online time is limited as of late, he has asked me to continue with you.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************

I'm going to have you download combofix again.

Download combofix from one of these locations:

When you click on the link, choose 'Save'. A dialog box will pop up giving you a choice of where to save the file.

At the top of the dialog box, you will see 'Save In'
Use the small blue arrow to the right of the open field and choose 'Desktop' from the list.
Please ensure that 'Desktop' is showing in the open field next to 'Save In'
Click 'Save'
You should now see combofix.exe on your desktop

-------------------------------------

Close any open browsers

-------------------------------------

Click Start>Run and copy/paste the following text into the run box and click OK:

"%userprofile%\desktop\combofix.exe" /v mljgg

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-------------------------------------

* Double click on HijackThis.exe to run it.
* Go to Config> Misc Tools
* Click the button labeled "Delete A File on Reboot..."
* In the dialogue that shows up, copy/paste the following into the "file name:" field

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

*Do not reboot yet.

-------------------------------------

In HijackThis, click the 'Back' button on the bottom right.

Run a scan with HijackThis. 'Check' the following entry:

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

Click 'Fix Checked' and close HijackThis.

-------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

Please include the following in your next reply:

combofix log
Panda results
New HijackThis log

Hopperonfire · 08-13-2006, 02:35 AM

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\SYSTEM32\MLJGG.DLL
C:\WINDOWS\SYSTEM32\GGJLM.INI

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\SYSTEM32\GGJLM.INI

2:45:56.87
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-09 21:38:48 102420 ( A.... ) "C:\WINDOWS\system32\qscfawqe.dll"
2006-08-08 01:04:12 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-07 21:46:56 112259 ( A..H. ) "C:\WINDOWS\system32\mswmmqce.exe"
2006-08-06 22:38:34 ( .D... ) "C:\Program Files\CleanUp!"
2006-08-06 22:29:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-04 23:28:52 ( .D... ) "C:\Program Files\HaxFix"
2006-08-02 21:13:56 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-02 19:43:40 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Lavasoft"
2006-08-02 19:43:10 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-02 17:09:18 5862 ( A.... ) "C:\clean.bat"
2006-08-02 15:26:56 94208 ( A.... ) "C:\WINDOWS\system32\pisia32.dll"
2006-08-02 14:16:48 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-08-02 14:13:26 ( .D.H. ) "C:\Program Files\BHO Plugin"
2006-06-19 14:03:26 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Sun"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-08-09 21:38 102,420 C:\WINDOWS\system32\qscfawqe.dll
2006-08-08 20:19 199,806,976 C:\hiberfil.sys
2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe
2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-07 21:46 112,259 C:\WINDOWS\system32\mswmmqce.exe
2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-04 23:28 5,862 C:\clean.bat
2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll
2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"POINTER"="point32.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system

Contents of the 'Scheduled Tasks' folder

Completion time: 06-08-13 2:46:46.87
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-13.024216.txt

Incident Status Location

Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul\Desktop\SmitfraudFix\Process.exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0027.CHK
Spyware:Cookie/2o7 Not disinfected C:\FOUND.006\FILE0001.CHK
Spyware:Cookie/Reliablestats Not disinfected C:\FOUND.017\FILE0004.CHK
Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe
Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 2)
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 6)
Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 8)
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 12)
Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 14)
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 18)
Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 20)
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 24) Logfile of HijackThis v1.99.1
Scan saved at 09:34, on 06-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {39DD5C57-3453-4C4D-846F-B82EB515E1F5} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

thanks for the help

Ried · 08-13-2006, 09:30 AM

Hello Hopperonfire,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

*********************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entry:

O2 - BHO: (no name) - {39DD5C57-3453-4C4D-846F-B82EB515E1F5} - C:\WINDOWS\system32\mljgg.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Delete the following Files

C:\WINDOWS\system32\ qscfawqe.dll
C:\WINDOWS\system32\ mswmmqce.exe
C:\WINDOWS\system32\ pisia32.dll

-----------------------------------

Navigate to, and empty the Dr Web Quarantine folder:

C:\Documents and Settings\Paul\DoctorWeb\Quarantine <--Leave the folder intact, just empty/delete it's contents.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-------------------------------------

Please provide the following in your next reply:

Kaspersky results
combofix log
New HijackThis log

How is your system behaving now, please?

Hopperonfire · 08-13-2006, 02:58 PM

Start Time= 06-08-13 21:48:57.78
Running from: C:\Documents and Settings\Paul\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-08 01:04:12 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-06 22:38:34 ( .D... ) "C:\Program Files\CleanUp!"
2006-08-06 22:29:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-04 23:28:52 ( .D... ) "C:\Program Files\HaxFix"
2006-08-02 21:13:56 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-02 19:43:40 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Lavasoft"
2006-08-02 19:43:10 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-02 17:09:18 5862 ( A.... ) "C:\clean.bat"
2006-08-02 14:16:48 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-08-02 14:13:26 ( .D.H. ) "C:\Program Files\BHO Plugin"
2006-06-19 14:03:26 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Sun"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-08-13 19:18 199,806,976 C:\hiberfil.sys
2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe
2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-04 23:28 5,862 C:\clean.bat
2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"POINTER"="point32.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system

Contents of the 'Scheduled Tasks' folder

Completion time: 06-08-13 21:49:39.30
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-13.024216.txt
ComboFix.2006-08-13.214857.txt

6-08-13 21:46
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/08/2006
Kaspersky Anti-Virus database records: 201905
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 28108
Number of viruses found 1
Number of infected objects 0 / 0
Number of suspicious objects 2
Duration of the scan process 01:20:58

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_610.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos8.zip/MTE2ODI6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 21:57, on 06-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

computer is still running quite slow

08-04-2006, 04:43 AM	#1 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	help!! HKsRv dll pop up plus more :( help i keep getting these hksrv dill pop ups. they come in a little box with HKSRV for the title then just crap and underneath and a ok button, they keep coming up at least 20 times a minute, i also get spyware removal wizard pop up telline me to see if my computer infected. i scanned using ad aware and search and destory that worked a lot computers running faster and taskmanger is no longer disabled. tried scanning online but window firewall wont let me download active x. tried changing the settings of the firewall but it want let me open it. just says"to unidentified problem, windows cannot display firewall settings". also computer just crashes now and again. well i hope you can help here is my hijack log Logfile of HijackThis v1.99.1 Scan saved at 00:33:44, on 03/08/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\system32\aspi22588.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\CCZoop05.exe C:\WINDOWS\system32\1c9533f4.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgdec.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe O4 - HKLM\..\Run: [1c9533f4.exe] C:\WINDOWS\system32\1c9533f4.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O20 - AppInit_DLLs: infoitss.dll lzexkbdu.dll O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O20 - Winlogon Notify: hgdec - C:\WINDOWS\SYSTEM32\hgdec.dll O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE thanks alot

08-04-2006, 04:49 PM	#2 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	Bump Bump!

08-05-2006, 02:27 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	1. Download this file:: http://download.bleepingcomputer.com/sUBs/combofix.exe * IMPORTANT !!! Place it on your Desktop. 2. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\combofix.exe" /v hgdec msstkbdd 3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-07-2006, 09:40 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	I still need the results from the jotti scan, please. I see I forgot to ask for it in the last post. Instructions in Post #5. --------------------------------------------------------------------------------------------- CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing) O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll (file missing) O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing) --------------------------------------------------------------------------------------------- Download Pocket Killbox and unzip the exe file to your desktop. Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\WINDOWS\uni_ehhh.exe C:\WINDOWS\system32\mswmmqce.dll C:\WINDOWS\system32\rsmpmcis.dll C:\WINDOWS\system32\shmecmse.dll C:\WINDOWS\system32\ciaddavc.dll C:\WINDOWS\system32\mljgg.dll C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe C:\WINDOWS\system32\clcbt.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. --------------------------------------------------------------------------------------------- Once the machine has rebooted, please do this: * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available: Avast! AVG Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. --------------------------------------------------- Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! --------------------------------------------------------------------------------------------- Also post a new HijackThis log. So I need results from: Jotti scan DrWeb SmitfraudFix HijackThis __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-08-2006, 08:34 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. --------------------------------------------------------------------------------------------- Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\FOUND.001\FILE0001.CHK C:\FOUND.005\FILE0266.CHK C:\FOUND.006\FILE0001.CHK C:\FOUND.013\FILE0014.CHK C:\FOUND.013\FILE0032.CHK C:\FOUND.015\FILE0000.CHK C:\FOUND.015\FILE0004.CHK C:\FOUND.015\FILE0009.CHK C:\FOUND.015\FILE0019.CHK --------------------------------------------------------------------------------------------- Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Once back in normal mode: Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply. --------------------------------------------------------------------------------------------- Run combofix once again, and post it's log. Also post a new HJT log. --------------------------------------------------------------------------------------------- So, please provide results from: SmitfraudFix Online scan combofix HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-06-2006, 02:30 AM	#4 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	Start Time= 06-08-06 9:20:54.28 Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\ No infected files found (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\kernels8.exe C:\WINDOWS\cfg32.exe C:\Program Files\windows ((((((((((((((((((((((((((((((( Files Created from 2006-07-06 to 2006-08-06 )))))))))))))))))))))))))))))))))) 2006-08-04 23:29 156,160 C:\WINDOWS\system32\mswmmqce.dll 2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-08-04 23:28 57,344 C:\WINDOWS\system32\rsmpmcis.dll 2006-08-04 23:28 5,862 C:\clean.bat 2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe 2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe 2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe 2006-08-04 23:28 36,352 C:\WINDOWS\system32\shmecmse.dll 2006-08-04 23:28 25,088 C:\WINDOWS\system32\ciaddavc.dll 2006-08-04 23:28 20,525 C:\WINDOWS\system32\tapidpus.exe 2006-08-04 23:18 199,806,976 C:\hiberfil.sys 2006-08-03 09:06 409,417 C:\WINDOWS\system32\ggjlm.bak1 2006-08-03 09:05 573,492 C:\WINDOWS\system32\mljgg.dll 2006-08-02 19:31 7,680 C:\WINDOWS\comdlg66.dll 2006-08-02 19:02 5,744 C:\WINDOWS\system32\testtestt.exe 2006-08-02 15:28 37,376 C:\WINDOWS\system32\aspi22588.exe 2006-08-02 15:28 11,187 C:\WINDOWS\system32\clcbt.exe 2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll 2006-08-02 15:18 143,360 C:\WINDOWS\ms059333253362006.exe 2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-06 09:12 7680 --a------ C:\WINDOWS\comdlg66.dll 2006-08-04 23:29 156160 --ah----- C:\WINDOWS\system32\mswmmqce.dll 2006-08-04 23:28 57344 --ah----- C:\WINDOWS\system32\rsmpmcis.dll 2006-08-04 23:28 36352 --ah----- C:\WINDOWS\system32\shmecmse.dll 2006-08-04 23:28 25088 --ah----- C:\WINDOWS\system32\ciaddavc.dll 2006-08-04 23:28 20525 --ah----- C:\WINDOWS\system32\tapidpus.exe 2006-08-04 23:28 ------- d-------- C:\Program Files\HaxFix 2006-08-03 09:06 409417 ---hs---- C:\WINDOWS\system32\ggjlm.bak1 2006-08-03 09:05 573492 ---hs---- C:\WINDOWS\system32\mljgg.dll 2006-08-02 21:13 ------- d-------- C:\Program Files\Spybot - Search & Destroy 2006-08-02 20:52 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2006-08-02 20:43 0 --a------ C:\Documents and Settings\Paul\Application Data\Install.dat 2006-08-02 19:43 ------- d-------- C:\Program Files\Lavasoft 2006-08-02 19:43 ------- d-------- C:\Documents and Settings\Paul\Application Data\Lavasoft 2006-08-02 19:02 5744 --a------ C:\WINDOWS\system32\testtestt.exe 2006-08-02 17:09 5862 --a------ C:\clean.bat 2006-08-02 15:28 37376 --a------ C:\WINDOWS\system32\aspi22588.exe 2006-08-02 15:27 11187 --a------ C:\WINDOWS\system32\clcbt.exe 2006-08-02 15:26 94208 --a------ C:\WINDOWS\system32\pisia32.dll 2006-08-02 15:18 143360 --a------ C:\WINDOWS\ms059333253362006.exe 2006-08-02 14:16 8464 --a------ C:\WINDOWS\system32\sporder.dll 2006-08-02 14:13 ------- d--h----- C:\Program Files\BHO Plugin 2006-06-19 14:03 ------- d-------- C:\Documents and Settings\Paul\Application Data\Sun 2006-05-12 02:33 73736 --a------ C:\WINDOWS\system32\_winsys00.dll 2006-05-08 15:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "POINTER"="point32.exe" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "clcbt.exe"="C:\\WINDOWS\\system32\\clcbt.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "1c9533f4.exe"="C:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\1c9533f4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000001 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}" "{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" Contents of the 'Scheduled Tasks' folder Completion time: 06-08-06 9:25:46.23 ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt ComboFix2.txt ComboFix.txt Logfile of HijackThis v1.99.1 Scan saved at 09:29, on 06-08-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\system32\aspi22588.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kazaa Lite\clean.kmd C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll infoitss.dll lzexkbdu.dll O21 - SSODL: CallBack Ware - {8e29f930-135a-4568-3338-24cbc8cbbfc1} - C:\WINDOWS\system32\pisia32.dll O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi22588.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE thanks for taking the time.

08-08-2006, 02:17 AM	#8 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	jotti scan AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing dr web FILE0011.CHK;C:\FOUND.013;Trojan.DownLoader.10320;Incurable.Moved.; FILE0018.CHK;C:\FOUND.013;Trojan.DownLoader.9894;Incurable.Moved.; FILE0019.CHK;C:\FOUND.013;Trojan.DownLoader.9894;Incurable.Moved.; mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.; FILE0027.CHK;C:\FOUND.013;Tool.ProcessKill;Moved.; dfcpr.dll;C:\WINDOWS\system32;Probably UPX;Incurable.Moved.; fwRemoteCfg.dll;C:\Program Files\Common Files\FTL Shared;Probably DLOADER.Trojan;Incurable.Moved.; FILE0000.CHK;C:\FOUND.013;Trojan.DownLoader.based;Deleted.; SmitFraudFix v2.81 Scan done at 9:01:42.34, 06-08-08 Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Paul\Application Data C:\Documents and Settings\Paul\Application Data\Install.dat FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAUL\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 09:15, on 06-08-08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE thanks again

08-08-2006, 03:18 PM	#10 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	ijackThis v1.99.1 Scan saved at 22:12, on 06-08-08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE 8 22:07:26.89 Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\ ((((((((((((((((((((((((((((((( Files Created from 2006-07-08 to 2006-08-08 )))))))))))))))))))))))))))))))))) 2006-08-08 20:19 199,806,976 C:\hiberfil.sys 2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe 2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe 2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe 2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr 2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe 2006-08-07 21:46 112,259 C:\WINDOWS\system32\mswmmqce.exe 2006-08-07 17:21 1,176 C:\WINDOWS\system32\ggjlm.ini2 2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe 2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-08-06 21:56 469,997 C:\WINDOWS\system32\ggjlm.bak2 2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-08-04 23:28 5,862 C:\clean.bat 2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe 2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe 2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe 2006-08-03 09:05 573,492 C:\WINDOWS\system32\mljgg.dll 2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll 2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-08 21:38 469997 ---hs---- C:\WINDOWS\system32\ggjlm.bak2 2006-08-08 01:04 ------- d-------- C:\Program Files\Alwil Software 2006-08-07 21:46 112259 --ah----- C:\WINDOWS\system32\mswmmqce.exe 2006-08-07 18:14 1176 ---hs---- C:\WINDOWS\system32\ggjlm.ini2 2006-08-06 22:38 ------- d-------- C:\Program Files\CleanUp! 2006-08-06 22:29 ------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-08-04 23:28 ------- d-------- C:\Program Files\HaxFix 2006-08-03 09:05 573492 --------- C:\WINDOWS\system32\mljgg.dll 2006-08-02 21:13 ------- d-------- C:\Program Files\Spybot - Search & Destroy 2006-08-02 20:52 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys 2006-08-02 19:43 ------- d-------- C:\Program Files\Lavasoft 2006-08-02 19:43 ------- d-------- C:\Documents and Settings\Paul\Application Data\Lavasoft 2006-08-02 17:09 5862 --a------ C:\clean.bat 2006-08-02 15:26 94208 --a------ C:\WINDOWS\system32\pisia32.dll 2006-08-02 14:16 8464 --a------ C:\WINDOWS\system32\sporder.dll 2006-08-02 14:13 ------- d--h----- C:\Program Files\BHO Plugin 2006-06-19 14:03 ------- d-------- C:\Documents and Settings\Paul\Application Data\Sun 2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe 2006-05-12 02:33 73736 --a------ C:\WINDOWS\system32\_winsys00.dll 2006-05-08 15:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "POINTER"="point32.exe" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000001 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}" "{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: 06-08-08 22:09:48.87 ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt ComboFix2.txt ComboFix3.txt ComboFix.txt online scan Scan report generated at: Tue, Aug 08, 2006 - 21:59:59 Scan path: A:\;C:\;D:\;E:\; Statistics Time 01:21:04 Files 173874 Folders 2408 Boot Sectors 2 Archives 1496 Packed Files 15941 Results Identified Viruses 5 Infected Files 8 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 9 Engines Info Virus Definitions 443349 Engine build AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38) Scan plugins 13 Archive plugins 39 Unpack plugins 5 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.060802-2346.txt Infected with: Generic.Qhost.6A8C1AED C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.060802-2346.txt Disinfection failed C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.060802-2346.txt Deleted C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.060802-2352.txt Infected with: Generic.Qhost.00EDC811 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.060802-2352.txt Disinfection failed C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.060802-2352.txt Deleted C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o) Infected with: Trojan.Downloader.Agent.AOE C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o) Disinfection failed C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o) Deleted C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK Update failed C:\Documents and Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE) Infected with: Trojan.Spy.Mxsender.F C:\Documents and Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE) Disinfection failed C:\Documents and Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE) Deleted C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip) Infected with: Trojan.Agent.UV C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip) Disinfection failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip) Deleted C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat Update failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip) Infected with: Trojan.Agent.UV C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip) Disinfection failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip) Deleted C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat Update failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip) Infected with: Trojan.Agent.UV C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip) Disinfection failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip) Deleted C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat Update failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip) Infected with: Trojan.Agent.UV C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip) Disinfection failed C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip) Deleted C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat Update failed SmitFraudFix v2.81 Scan done at 20:09:39.75, 06-08-08 Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Documents and Settings\Paul\Application Data\Install.dat Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240" »»»»»»»»»»»»»»»»»»»»»»»» End keep up the good work

08-08-2006, 07:41 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	Thanks....this should take care of the rest of the items remaining.... I have attached a file to this post - paul.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. ----------------------------------------------------------------------- Double click on HijackThis.exe to run it. Click on Open the Misc Tools section click the button labelled "Delete A File on Reboot..." In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINDOWS\system32\ggjlm.bak2 When you have selected the file, Click the "Open" Button Click Click No at the next prompt Do that for the following files also. C:\WINDOWS\system32\mswmmqce.exe C:\WINDOWS\system32\ggjlm.ini2 C:\WINDOWS\system32\mljgg.dll When you get to the last one, click Yes when HJT asks you to reboot. ----------------------------------------------------------------------- It's very important for you to move combofix from a temp location. It needs to be placed on the desktop. Once you've placed it on the desktop, please run it once again, and post the log. ----------------------------------------------------------------------- Also post a new HJT log. How is your system behaving now please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 09-19-2006 at 01:53 PM.

08-09-2006, 12:26 PM	#12 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	i did what you said but when it came to the hjt bit i clicked the button delete on reboot and hjt just closes. combofix is on my desk to and as always been there :-S any ideas, computers running okay no pop ups or anything

08-09-2006, 08:29 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	Please rename HijackThis.exe to HJT.exe and then see if you can perform the delete on reboot functions. Please post a new HJT log with the renamed version, regardless of if that works or not. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-10-2006, 04:41 AM	#14 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	once i renamed it it did the delete on reboot your the log after the reboot Logfile of HijackThis v1.99.1 Scan saved at 11:36, on 06-08-10 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {4A028D9D-F016-4BDA-9DA9-FBA1B98957C0} - C:\WINDOWS\system32\mljgg.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll (file missing) O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\system32\mswmmqce.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE thanks

08-10-2006, 08:39 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,235 OS: 2000 Pro; XP Pro; XP Home	Please delete the current version of combofix you have. Also look for a folder C:\sUBs and delete it if found. You still have an active Vundo infection, and a new bad guy has shown up to the party. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt at the end of this fix. Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\Documents and Settings\AllUsers\Documents\Settings\artm_new.dll * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\AllUsers\Documents\Settings\artm_new.dll O20 - Winlogon Notify: msstkbdd - C:\WINDOWS\system32\msstkbdd.dll (file missing) O20 - Winlogon Notify: mswmmqce - C:\WINDOWS\system32\mswmmqce.dll (file missing) --------------------------------------------------------------------------------------------- Post back the vundo log and a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-11-2006, 12:31 PM	#16 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	i deleted combofix and the subs folder. i ran killbox deleted the file you said but it asked me to reboot now i clicked yes then the count down began then a error box came up saying peding file name operators registory has been moved by exteranal process then i clicked ok, i rebooted anyway. vundofix didnt find anything you is the log file from hjt Logfile of HijackThis v1.99.1 Scan saved at 19:29, on 06-08-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {94EC983D-583A-4954-96A5-A784511C4093} - C:\WINDOWS\system32\mljgg.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

08-12-2006, 09:51 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,609 OS: WinXP and Vista	Hello Hopperonfire, As tetonbob's online time is limited as of late, he has asked me to continue with you. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ******************************************************** I'm going to have you download combofix again. Download combofix from one of these locations: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe When you click on the link, choose 'Save'. A dialog box will pop up giving you a choice of where to save the file. At the top of the dialog box, you will see 'Save In' Use the small blue arrow to the right of the open field and choose 'Desktop' from the list. Please ensure that 'Desktop' is showing in the open field next to 'Save In' Click 'Save' You should now see combofix.exe on your desktop ------------------------------------- Close any open browsers ------------------------------------- Click Start>Run and copy/paste the following text into the run box and click OK: "%userprofile%\desktop\combofix.exe" /v mljgg** Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ------------------------------------- * Double click on HijackThis.exe to run it. * Go to Config> Misc Tools * Click the button labeled "Delete A File on Reboot..." * In the dialogue that shows up, copy/paste the following into the "file name:" field C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll Do not reboot yet. ------------------------------------- In HijackThis, click the 'Back' button on the bottom right. Run a scan with HijackThis. 'Check' the following entry: O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll* Click 'Fix Checked' and close HijackThis. ------------------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. ----------------------------------- Reboot into Normal Mode. ----------------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please include the following in your next reply: combofix log Panda results New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-13-2006, 02:35 AM	#18 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log ))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\SYSTEM32\MLJGG.DLL C:\WINDOWS\SYSTEM32\GGJLM.INI * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\SYSTEM32\GGJLM.INI 2:45:56.87 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-09 21:38:48 102420 ( A.... ) "C:\WINDOWS\system32\qscfawqe.dll" 2006-08-08 01:04:12 ( .D... ) "C:\Program Files\Alwil Software" 2006-08-07 21:46:56 112259 ( A..H. ) "C:\WINDOWS\system32\mswmmqce.exe" 2006-08-06 22:38:34 ( .D... ) "C:\Program Files\CleanUp!" 2006-08-06 22:29:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-08-04 23:28:52 ( .D... ) "C:\Program Files\HaxFix" 2006-08-02 21:13:56 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-08-02 19:43:40 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Lavasoft" 2006-08-02 19:43:10 ( .D... ) "C:\Program Files\Lavasoft" 2006-08-02 17:09:18 5862 ( A.... ) "C:\clean.bat" 2006-08-02 15:26:56 94208 ( A.... ) "C:\WINDOWS\system32\pisia32.dll" 2006-08-02 14:16:48 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll" 2006-08-02 14:13:26 ( .D.H. ) "C:\Program Files\BHO Plugin" 2006-06-19 14:03:26 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Sun" 2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-08-09 21:38 102,420 C:\WINDOWS\system32\qscfawqe.dll 2006-08-08 20:19 199,806,976 C:\hiberfil.sys 2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe 2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe 2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe 2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr 2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe 2006-08-07 21:46 112,259 C:\WINDOWS\system32\mswmmqce.exe 2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe 2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-08-04 23:28 5,862 C:\clean.bat 2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe 2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe 2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe 2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll 2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "POINTER"="point32.exe" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex] "flags"=dword:00000008 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system Contents of the 'Scheduled Tasks' folder Completion time: 06-08-13 2:46:46.87 ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt ComboFix.2006-08-13.024216.txt Incident Status Location Spyware:spyware/media-motor Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul\Desktop\SmitfraudFix\Process.exe Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[²ÜÇ\nsProcess.dll] Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll] Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0018.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[²ÜÇ\nsProcess.dll] Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ÜÇ\nsProcess.dll] Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0019.CHK[¦&&\Windows\WinUpdate.exe][²ªÇ] Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0027.CHK Spyware:Cookie/2o7 Not disinfected C:\FOUND.006\FILE0001.CHK Spyware:Cookie/Reliablestats Not disinfected C:\FOUND.017\FILE0004.CHK Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 2) Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 6) Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 8) Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 12) Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 14) Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 18) Virus:Trj/Agent.CNM Disinfected C:\!KillBox\ciaddavc.dll( 20) Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhh.exe( 24) Logfile of HijackThis v1.99.1 Scan saved at 09:34, on 06-08-13 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {39DD5C57-3453-4C4D-846F-B82EB515E1F5} - C:\WINDOWS\system32\mljgg.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE thanks for the help

08-13-2006, 09:30 AM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,609 OS: WinXP and Vista	Hello Hopperonfire, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ******************************************************* Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login on your usual account. Make sure to close any open browsers. ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entry: O2 - BHO: (no name) - {39DD5C57-3453-4C4D-846F-B82EB515E1F5} - C:\WINDOWS\system32\mljgg.dll (file missing) Click 'Fix Checked' and close HijackThis. ----------------------------------- Delete the following Files C:\WINDOWS\system32\ qscfawqe.dll C:\WINDOWS\system32\ mswmmqce.exe C:\WINDOWS\system32\ pisia32.dll ----------------------------------- Navigate to, and empty the Dr Web Quarantine folder: C:\Documents and Settings\Paul\DoctorWeb\Quarantine <--Leave the folder intact, just empty/delete it's contents. ----------------------------------- Reboot into Normal Mode. ----------------------------------- Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan ------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ------------------------------------- Please provide the following in your next reply: Kaspersky results combofix log New HijackThis log How is your system behaving now, please? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-13-2006, 02:58 PM	#20 (permalink)
Hopperonfire Registered User Join Date: Aug 2006 Posts: 12 OS: xp	Start Time= 06-08-13 21:48:57.78 Running from: C:\Documents and Settings\Paul\Desktop QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-08 01:04:12 ( .D... ) "C:\Program Files\Alwil Software" 2006-08-06 22:38:34 ( .D... ) "C:\Program Files\CleanUp!" 2006-08-06 22:29:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-08-04 23:28:52 ( .D... ) "C:\Program Files\HaxFix" 2006-08-02 21:13:56 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-08-02 19:43:40 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Lavasoft" 2006-08-02 19:43:10 ( .D... ) "C:\Program Files\Lavasoft" 2006-08-02 17:09:18 5862 ( A.... ) "C:\clean.bat" 2006-08-02 14:16:48 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll" 2006-08-02 14:13:26 ( .D.H. ) "C:\Program Files\BHO Plugin" 2006-06-19 14:03:26 ( .D... ) "C:\Documents and Settings\Paul\Application Data\Sun" 2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-08-13 19:18 199,806,976 C:\hiberfil.sys 2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe 2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe 2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe 2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr 2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe 2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe 2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe 2006-08-04 23:28 5,862 C:\clean.bat 2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe 2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe 2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe 2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "POINTER"="point32.exe" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system Contents of the 'Scheduled Tasks' folder Completion time: 06-08-13 21:49:39.30 ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt ComboFix.2006-08-13.024216.txt ComboFix.2006-08-13.214857.txt 6-08-13 21:46 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 13/08/2006 Kaspersky Anti-Virus database records: 201905 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ Scan Statistics Total number of scanned objects 28108 Number of viruses found 1 Number of infected objects 0 / 0 Number of suspicious objects 2 Duration of the scan process 01:20:58 Infected Object Name Virus Name Last Action C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_610.dat Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos8.zip/MTE2ODI6ODoxNg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos8.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped C:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 21:57, on 06-08-13 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\VoyagerTest\fts.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Paul\Desktop\New Folder\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE computer is still running quite slow