SystemDoctor2006 & SmitFraud

Adrnshw6 · 09-Jun-2007, 01:50 PM #1

Hi, I was googling around looking for a way to delete SystemDoctor2006 and Smithfraud from my PC, and came upon this thread. It looks as though the OPs problems were solved, so I will be following those steps. I just completed the first step and here is my Combofix log:

"Adrian Shaw" - 2007-06-09 12:37:29 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Adrian Shaw\Desktop\virusstuff\"

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bvlksyij.dll
C:\WINDOWS\system32\scckoevp.dll
C:\WINDOWS\system32\uwkhquro.dll
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ppqss.tmp
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\byxurom.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ADRIAN~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\T6G9ZXXP\www.broadcaster.com
C:\DOCUME~1\ADRIAN~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\T6G9ZXXP\www.broadcaster.com\played_list.sol
C:\DOCUME~1\ADRIAN~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\T6G9ZXXP\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\ADRIAN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\ADRIAN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\install.log
C:\WINDOWS\system32\drivers\sfsync02.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_SFSYNC02
-------\NPF
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-09 12:38 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-08 06:49 58,420 --a------ C:\WINDOWS\system32\tkknlgjo.dll
2007-06-07 07:01 55,316 --a------ C:\WINDOWS\system32\pubktjuh.dll
2007-06-07 06:49 131,124 --a------ C:\WINDOWS\system32\kpfwcfqi.dll
2007-06-06 06:56 131,124 --a------ C:\WINDOWS\system32\gpglgpni.dll
2007-06-06 06:35 14,868 --a------ C:\WINDOWS\system32\ygpmcvox.exe
2007-06-06 06:35 10,752 --a------ C:\WINDOWS\system32\j6211032.dll
2007-06-05 06:39 2,580 --a------ C:\WINDOWS\system32\grtpljfo.exe
2007-06-05 06:36 131,124 --a------ C:\WINDOWS\system32\efndrnva.dll
2007-06-03 21:32 <DIR> d-------- C:\Program Files\Cyberathlete Amateur League
2007-06-02 23:07 2,580 --a------ C:\WINDOWS\system32\ikcoxsve.exe
2007-06-02 00:49 <DIR> d-------- C:\Program Files\World In Conflict - Closed MP Beta
2007-06-01 23:07 2,580 --a------ C:\WINDOWS\system32\tvntntsr.exe
2007-05-30 22:52 <DIR> d-------- C:\DOCUME~1\ADRIAN~1\APPLIC~1\Help
2007-05-30 17:37 <DIR> d-------- C:\Program Files\ZyX
2007-05-30 06:49 <DIR> d-------- C:\progam files
2007-05-27 01:22 <DIR> d-------- C:\BFU
2007-05-27 01:20 1,468 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-27 01:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-27 01:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-27 01:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-26 16:21 967 --a------ C:\WINDOWS\ScUnin.pif
2007-05-26 16:21 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-05-26 16:21 35,382 --a------ C:\WINDOWS\scunin.dat
2007-05-26 16:21 <DIR> d-------- C:\Program Files\Starcraft
2007-05-24 21:06 530 --a------ C:\WINDOWS\eReg.dat
2007-05-24 20:44 <DIR> d-------- C:\Program Files\EA GAMES
2007-05-22 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-19 05:20 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-05-16 21:43 <DIR> d-------- C:\VundoFix Backups
2007-05-14 21:56 <DIR> d-------- C:\Program Files\Tor
2007-05-12 12:23 <DIR> d-------- C:\Program Files\Trillian Pro
2007-05-11 07:07 <DIR> d-------- C:\DOCUME~1\ADRIAN~1\APPLIC~1\Aim
2007-05-11 07:06 <DIR> d-------- C:\Program Files\AIM95

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2038-03-05 19:30:03 -------- d-----w C:\Program Files\Winamp
2007-06-09 16:31:51 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-09 15:50:15 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Xfire
2007-06-09 15:49:53 -------- d-s---w C:\Program Files\Xfire
2007-06-08 22:15:34 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Azureus
2007-06-08 22:15:33 -------- d-----w C:\Program Files\PeerGuardian2
2007-06-08 19:25:31 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-08 19:25:25 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-06-08 16:14:23 -------- d-----w C:\Program Files\Steam
2007-06-07 18:44:19 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\OpenOffice.org2
2007-06-07 00:22:01 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\dvdcss
2007-06-06 01:53:21 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\LimeWire
2007-06-02 04:57:00 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-02 04:49:54 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 22:38:31 -------- d-----w C:\Program Files\mIRC
2007-05-30 18:54:16 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Creative
2007-05-29 23:20:08 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-28 05:30:27 -------- d-----w C:\Program Files\Project64 1.6
2007-05-28 05:29:57 -------- d-----w C:\Program Files\InterActual
2007-05-28 05:29:20 -------- d-----w C:\Program Files\Sony Ericsson
2007-05-25 11:09:36 -------- d-----w C:\Program Files\Folding@Home
2007-05-24 23:19:34 -------- d-----w C:\Program Files\Blaze Media Pro
2007-05-24 21:14:49 -------- d-----w C:\Program Files\MyWay
2007-05-18 02:51:01 -------- d-----w C:\Program Files\Movie Joiner
2007-05-17 20:07:25 -------- d-----w C:\Program Files\DivX
2007-05-10 18:35:43 -------- d-----w C:\Program Files\Joost
2007-05-08 01:20:10 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Joost
2007-05-08 00:24:24 -------- d-----w C:\Program Files\Call of Duty
2007-05-01 00:12:50 -------- d-----w C:\Program Files\Orb Networks
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-30 00:46:45 -------- d-----w C:\Program Files\CCP
2007-04-26 18:51:38 -------- d-----w C:\Program Files\Opera
2007-04-23 00:52:04 8,704 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2007-04-23 00:12:58 -------- d-----w C:\Program Files\Folding@Home2
2007-04-20 00:45:56 -------- d-----w C:\Program Files\Atari
2007-04-17 04:44:18 -------- d-----w C:\Program Files\TVUPlayer
2007-04-15 17:57:44 -------- d--h--w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Move Networks
2007-04-11 03:50:04 -------- d-----w C:\DOCUME~1\ADRIAN~1\APPLIC~1\Skype
2007-04-02 23:52:44 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 02:55]
{60BF5EE3-0105-4858-AD98-17C19F86B042}=C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll [2007-01-15 22:06]
{906DC9BE-E962-443B-BCF3-B602F5212EA9}=C:\WINDOWS\system32\jkkll.dll []
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2007-02-15 20:25]
{D75D14C6-7C56-493F-AD5E-FB035AB2C49c}=C:\WINDOWS\system32\rbgsrpia.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\tkknlgjo.dll [2007-06-08 06:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 C:\WINDOWS\system32\nvmctray.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"razer"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 11:53]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 11:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="C:\FRAPS\FRAPS.EXE" [2005-08-15 09:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-04-06 20:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
"!CleanupNetMeetingDispDriver"="C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkhge]
ljjkhge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adrian Shaw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Adrian Shaw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adrian Shaw^Start Menu^Programs^Startup^GigaTribe.lnk]
path=C:\Documents and Settings\Adrian Shaw\Start Menu\Programs\Startup\GigaTribe.lnk
backup=C:\WINDOWS\pss\GigaTribe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Adrian Shaw^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Adrian Shaw\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
"C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\system32\efndrnva.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j6211032]
rundll32 C:\WINDOWS\system32\j6211032.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\D]
AutoRun\command- D:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{85cf697c-6612-11db-aa13-00121769b42d}]
AutoRun\command- L:\gt.exe
open\command- L:\gt.exe

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 12:42:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 12:43:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 12:43

--- E O F ---

And here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:45:49 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adrian Shaw\Desktop\HiJackThis_v2.exe
C:\Program Files\Winamp\winamp.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {906DC9BE-E962-443B-BCF3-B602F5212EA9} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: (no name) - {D75D14C6-7C56-493F-AD5E-FB035AB2C49c} - C:\WINDOWS\system32\rbgsrpia.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\tkknlgjo.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1161920617140
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42320AAC-8765-412C-BB05-7DA2FBE975F0}: NameServer = 68.87.66.196,68.87.64.196
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljjkhge - ljjkhge.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FAH@C:+Documents and Settings+Adrian Shaw+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Adrian Shaw\Desktop\FAH504-Console.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 7585 bytes

I read somewhere that these malware install and duplicate themsleves differently on different machines, so I can't follow the directions in the other thread exactly, so, what should I do next?
Thanks.

cybertech · 11-Jun-2007, 12:42 PM #2

Hi, Welcome to TSG!!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard mouse network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!