• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
sonictime

Help with diskcleaner/vundo/winantivirus/winfixer

10 posts in this topic

Yesterday my computer became infected with a virus or spyware called Winfixer, diskcleaner, Vundo, and WinFixer. While I'm on the Internet, tons of popups and ads appear, such as www.winantivirus.com, and try to force the computer to download them. I scanned with Norton Internet Security (found several trojans and deleted them), Ad-Aware, (finds Spylocked, tracking cookies, and several trojans), VundoFix (no results), and Windows Defender (found several of the aforementioned items) but they seem to be coming back when I restart and the WinFixer is never resolved. Any help would be GREATLY appreciated! Thank you.

 

Here's the Hijack this log:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:12:28 PM, on 4/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\Documents and Settings\Owner\Desktop\Shortcuts\Hijack This\HijackThis.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [sNM] C:\Documents and Settings\Owner\Desktop\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174791508343

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer = 66.38.0.240,66.38.0.241

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Documents and Settings\Owner\Desktop\docs\wrapper.exe" -s "C:\Documents and Settings\Owner\Desktop\docs\Wrapper.conf (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi and welcome

 

Please right click on HJT and select rename

Rename it to sonictime.exe, Juliet.exe, ABC123.exe anything really because the infection is hiding.

 

 

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

 

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

 

 

 

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE)6u1
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: javaicon.gif
    Select it and click Remove.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

 

In your next reply i need:

Smitfruad log

ComboFix log

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Thank you for replying Juliet! I downloaded the new Java software, but when i went to uninstall the old one i noticed it was 117.00MB whereas the new download was just 13.1MB. Is this okay before i uninstall the old one?

Note that when ComboFix was scanning, my Norton Internet Security detected trojan.vundo and was submitted at 4/23/2007 8:51:02 PM. IE seems to be running faster now and i haven't noticed any popups just yet...

 

Here's the SmitfraudFix log:

 

 

SmitFraudFix v2.171

 

Scan done at 20:23:13.92, Mon 04/23/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{b292ec9f-a074-4115-8342-1f459702d8d2}"="characterizing"

 

[HKEY_CLASSES_ROOT\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]

@="C:\WINDOWS\system32\fyxkaah.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]

@="C:\WINDOWS\system32\fyxkaah.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 66.38.0.240

DNS Server Search Order: 66.38.0.241

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

HKLM\SYSTEM\CS3\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

 

The ComboFix log:

 

 

 

"Owner" - 07-04-23 20:29:48 Service Pack 2

ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Owner\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\gebca.dll

C:\WINDOWS\system32\geedc.dll

C:\WINDOWS\system32\acbeg.ini

C:\WINDOWS\system32\cdeeg.ini

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

C:\WINDOWS\system32\drivers\inetx26.img

 

 

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\nm

-------\LEGACY_NM

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))

 

 

2007-04-22 14:16 1,387,495 ---hs---- C:\WINDOWS\system32\jlnmp.ini2

2007-04-21 22:17 1,382,042 ---hs---- C:\WINDOWS\system32\jlnmp.bak2

2007-04-20 21:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-04-20 20:08 1,372,110 ---hs---- C:\WINDOWS\system32\jlnmp.bak1

2007-04-20 20:06 281,172 --ahs---- C:\WINDOWS\system32\pmnlj.dll.vir

2007-04-20 19:26 <DIR> d-------- C:\VundoFix Backups

2007-04-20 16:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft

2007-04-20 16:38 <DIR> d-------- C:\Program Files\Lavasoft

2007-04-20 16:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-04-19 21:38 26,694 --a------ C:\WINDOWS\system32\ddcdedd.dll

2007-04-15 13:54 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-04-15 12:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files

2007-04-13 16:13 <DIR> d-------- C:\Program Files\Planetwide Games

2007-04-13 08:18 <DIR> d-------- C:\Program Files\DellSupport

2007-04-07 05:22 322,872 --a------ C:\DOCUME~1\Owner\APPLIC~1\privprotect.exe

2007-04-02 10:37 <DIR> d-------- C:\Program Files\stages

2007-04-02 10:37 <DIR> d-------- C:\Program Files\sound

2007-04-02 10:37 <DIR> d-------- C:\Program Files\font

2007-04-02 10:37 <DIR> d-------- C:\Program Files\docs

2007-04-02 10:37 <DIR> d-------- C:\Program Files\data

2007-04-02 10:37 <DIR> d-------- C:\Program Files\chars

2007-03-24 22:51 2,966 --a------ C:\WINDOWS\system32\tmp.reg

2007-03-24 22:42 <DIR> d-------- C:\WINDOWS\pss

2007-03-24 22:39 127,208 --a------ C:\WINDOWS\system32\mucltui.dll

2007-03-24 20:16 <DIR> d-------- C:\Program Files\Windows Defender

2007-03-24 12:44 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-03-24 12:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-03-24 12:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-03-24 11:54 1,152 --a------ C:\WINDOWS\system32\windrv.sys

2007-03-24 11:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager

2007-03-24 04:06 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-22 21:10 -------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\gtek

2007-04-20 11:33 -------- d-------- C:\Program Files\goldpocket

2007-04-15 13:59 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll

2007-04-15 13:59 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-04-15 13:59 -------- d-------- C:\Program Files\symantec

2007-04-14 07:46 -------- d--h----- C:\Program Files\installshield installation information

2007-04-12 14:21 -------- d-------- C:\Program Files\up

2007-03-31 07:45 737280 --a------ C:\WINDOWS\iun6002.exe

2007-03-26 12:57 56200 --a------ C:\WINDOWS\sonic2k6data_2.dat

2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll

2007-03-16 07:46 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ultra

2007-03-15 21:18 -------- d-------- C:\Program Files\effect3d studio

2007-03-12 20:23 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\viewpoint

2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll

2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll

2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll

2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys

2007-03-05 12:50 796672 --a------ C:\WINDOWS\gpinstall.exe

2007-03-05 12:50 -------- d-------- C:\Program Files\tilesetmaker

2007-02-25 12:10 5376 --a-s---- C:\WINDOWS\system32\drivers\dsunidrv.sys

2007-02-23 14:12 1185361 --a------ C:\WINDOWS\system32\sexy babes v2.scr

2007-02-22 17:21 8192 --ahs---- C:\Program Files\thumbs.db

2007-02-08 16:05 433664 --a------ C:\WINDOWS\system32\ss2uinst.exe

2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

2007-02-01 21:14 6656 --ahs---- C:\Program Files\Common Files\thumbs.db

2007-01-30 06:57 90 --a------ C:\WINDOWS\lvdat.dat

2007-01-30 06:50 39 --a------ C:\WINDOWS\gbdat.dat

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\kejjduid.dll [x]

{1E8A6170-7264-4D0F-BEAE-D42A53123C75} C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll

{660E3F03-1450-41FF-98C6-664FFA718363} C:\WINDOWS\system32\gebyx.dll [x]

{9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"

"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"

"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"Lexmark 4200 Series"="\"C:\\Program Files\\Lexmark 4200 Series\\lxbmbmgr.exe\""

"SNM"="C:\\Documents and Settings\\Owner\\Desktop\\SpyNoMore\\SNM.exe /startup"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoCDBurning"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{b292ec9f-a074-4115-8342-1f459702d8d2}"="characterizing"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_DSPROCT

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\MP Scheduled Scan.job

C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job

C:\WINDOWS\tasks\Symantec NetDetect.job

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-04-23 20:49:13

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

********************************************************************

 

Completion time: 07-04-23 20:52:47

C:\ComboFix-quarantined-files.txt ... 07-04-23 20:52

 

 

 

And the new HijackThis log: (I renamed it to sonictime.exe as you instructed.)

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:37:03 PM, on 4/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Documents and Settings\Owner\Desktop\Shortcuts\Hijack This\sonictime.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\kejjduid.dll (file missing)

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {660E3F03-1450-41FF-98C6-664FFA718363} - C:\WINDOWS\system32\gebyx.dll (file missing)

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [sNM] C:\Documents and Settings\Owner\Desktop\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174791508343

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer = 66.38.0.240,66.38.0.241

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Documents and Settings\Owner\Desktop\docs\wrapper.exe" -s "C:\Documents and Settings\Owner\Desktop\docs\Wrapper.conf (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

Welcome back

I downloaded the new Java software, but when i went to uninstall the old one i noticed it was 117.00MB whereas the new download was just 13.1MB. Is this okay before i uninstall the old one?

Yes, uninstall the old one then install the new.

Note that when ComboFix was scanning, my Norton Internet Security detected trojan.vundo and was submitted at 4/23/2007 8:51:02 PM. IE seems to be running faster now and i haven't noticed any popups just yet...
We tempted Nortons to finally jump in and do it's job.....that slow poke!

Glad IE is acting right and the pop ups have have stopped.

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

Open HJT and click scan only, place a check by these entries

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\kejjduid.dll (file missing)

O2 - BHO: (no name) - {660E3F03-1450-41FF-98C6-664FFA718363} - C:\WINDOWS\system32\gebyx.dll (file missing)

 

Close all windows and browsers except HJT and click fix checked

 

 

 

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

 

ClickSpring

Cowabanga by OIN

ipwindows / ipwins

MediaTickets

MediaTickets by OIN

OIN

Outer Info Network

PurityScan

PurityScan by OIN

Snowball Wars by OIN

TizzleTalk

TizzleTalk by OIN

Yazzle by OIN

Yazzle ActiveX by OIN

Yazzle Cowabanga by OIN

Yazzle Kobe Balls! By OIN

Yazzle Picster by OIN

Yazzle Snowball Wars by OIN

Yazzle Sudoku by OIN

Zolero Translator

(Anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them)

 

If not listed, download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

http://www.outerinfo.com/howto.html

 

if found, delete this folder:

C:\Program Files\PurityScan

 

 

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The report can also be found at the root of the system drive, usually at C:\rapport.txt

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

 

 

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.

Click Start, click Control Panel, and then double click Internet Options.

On the General tab, click Delete files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK

Click OK

 

 

 

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

· "Security Info"

· "Warning Message"

· "Security Desktop"

· "Warning Homepage"

· "Desktop Uninstall"

 

 

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter

 

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

 

 

 

Please download VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

 

 

 

Please go to at least two of the below sites to scan the following files:

jotti.org

or

virustotal

or

http://www.kaspersky.com/scanforvirus.html

 

click on Browse, and upload the following file for analysis:

C:\WINDOWS\iun6002.exe

 

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

 

 

 

One more scan

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

Close AVG Anti-Spyware 7.5, Do not run a scan yet.

 

 

Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.

  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".

  • AVG will now begin the scanning process, be patient this may take a little time to complete.

Once the scan is complete do the following:

  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

In your next reply I need:

Smitfraud C:\rapport.txt

C:\vundofix.txt

Requested file scan from Virus Total...Jotti...

AVG A/S log

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Sorry it took me a while to get back to you. Everything seems to be working properly now. I really have appreciated all your help. Here are the things you asked for:

 

Vundofix reported it found nothing and left no log in C:.

 

Here's the HijackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:03:09 PM, on 4/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Documents and Settings\Owner\Desktop\Shortcuts\Hijack This\sonictime.exe.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [sNM] C:\Documents and Settings\Owner\Desktop\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174791508343

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer = 66.38.0.240,66.38.0.241

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Documents and Settings\Owner\Desktop\docs\wrapper.exe" -s "C:\Documents and Settings\Owner\Desktop\docs\Wrapper.conf (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

This is the scan of C:\WINDOWS\iun6002.exe from jotti.org

 

Scan taken on 25 Apr 2007 20:36:23 (GMT) A-Squared

Found nothing AntiVir

Found nothing ArcaVir

Found nothing Avast

Found nothing AVG Antivirus

Found nothing BitDefender

Found nothing ClamAV

Found nothing Dr.Web

Found nothing F-Prot Antivirus

Found nothing F-Secure Anti-Virus

Found nothing Fortinet

Found nothing Kaspersky Anti-Virus

Found nothing NOD32

Found nothing Norman Virus Control

Found nothing Panda Antivirus

Found nothing Rising Antivirus

Found nothing VirusBuster

Found nothing VBA32

Found nothing

 

Here's the scan of C:\WINDOWS\iun6002.exe from http://www.kaspersky.com/scanforvirus.html

 

 

Statistics:

Known viruses: 302284 Updated: 25-04-2007

File size (Kb): 720 Virus bodies: 0

Files: 1 Warnings: 0

Archives: 0 Suspicious: 0

 

Here's the log from AVG Anti-Spyware 7.5:

 

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 5:46:39 PM 4/25/2007

 

+ Scan result:

 

 

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.Generic : Cleaned.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP433\A0132707.dll -> Adware.WebRebates ok : Cleaned.

 

 

::Report end

 

 

 

 

And lastly, here's the SmitfraudFix rapport:

 

 

SmitFraudFix v2.171

 

Scan done at 17:50:47.84, Wed 04/25/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{b292ec9f-a074-4115-8342-1f459702d8d2}"="characterizing"

 

[HKEY_CLASSES_ROOT\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]

@="C:\WINDOWS\system32\fyxkaah.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]

@="C:\WINDOWS\system32\fyxkaah.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\Program Files\Video AX Object\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 66.38.0.240

DNS Server Search Order: 66.38.0.241

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

HKLM\SYSTEM\CS3\Services\Tcpip\..\{5DCAE18F-7684-438F-810E-FA23D4721E57}: NameServer=66.38.0.240,66.38.0.241

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Welcome back

Everything seems to be working properly now

Good news, good job!

 

Is there an older version of Java still in your Add/Remove programs list

Java\j2re1.4.2_03

If you can find that it needs to go.

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Using windows explorer search for and delete these files/folders and tools

C:\Vundofix backups <-folder

Smitfruad log

ComboFix log

C:\Qoobox <-folder

 

 

 

Open notepad and copy/paste the text in the quotebox below:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"system"=-

 

Save this as fix.reg Choose to "Save type as - 'All Files" Double click on fix.reg & allow it to merge into the registry

 

 

If there are no more issues or problems your good to go!

 

 

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

 

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.

Tutorial

 

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

Tutorial

Run on a regular basis

 

Install and Update Ad-Aware SE Personal

You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

Tutorial

Run on a regular basis

 

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.

And to run them regularly as this can prevent a great deal of spyware hassle.

 

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.

Another valueable article to read Dealing with Unwanted Spyware and Parasites

 

 

Read through the information found here, to help you prevent any possible future infections.

How to prevent Malware' by miekiemoes:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

And if you want to improve speed/system performance after malware removal, take a look

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Share this post


Link to post
Share on other sites

Thanks again for your effective and professional assistance Juliet! I removed the other Java program and considered the prevention and precautionary methods you listed. I was just wondering, what does the fix.reg do for the registry? Also, when I was arranging my icons in the tray I rightclicked it, chose Properties, then Customize on the Taskbar tab and in the Past Items section it has items like Spylocked, NoAdware, your computer is infected (many times), DrverCleanerFree, and more listed. Are these "past item" objects something I need to be fixing or is it normal for it to say that as an aftermath of a previous infection? Sorry about so many questions... thanks for the help!

Share this post


Link to post
Share on other sites

Welcome back

 

Thanks again for your effective and professional assistance Juliet
Your very welcome

 

Also, when I was arranging my icons in the tray I rightclicked it, chose Properties, then Customize on the Taskbar tab and in the Past Items section it has items like Spylocked, NoAdware, your computer is infected (many times), DrverCleanerFree, and more listed. Are these "past item" objects something I need to be fixing or is it normal for it to say that as an aftermath of a previous infection? Sorry about so many questions... thanks for the help!

It's really nothing to worry about but, we can fix this.

 

Notification Area - Remove Past Icons'

http://www.kellys-korner-xp.com/xp_tweaks.htm

 

Read the directions on that page and download the regfix

 

you'll find a link to a fix "Remove Past Items From the Notification Area (Line 53)".

 

Follow these instructions after you run the Fix.

 

"Once done, Open Task Manager, click the Processes tab, click Explorer.exe, and then click End Process. In Task Manager, click File, click New Task, type explorer, and then click OK".

 

Let me know if other issues remain.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0