1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.
Thread Status:
Not open for further replies.
Advertisement
  1. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    Downloaded many viruses, used AVG to take care of most of them and spysweeper found some but I couldn't get the cleaned because I don't have a subscription. I don't have quite as many popups as before, but still get the box at the bottom w/ a system alert for [email protected] Here is my hijack this log and my log from smitfraudfix (noticed someone had the same problem):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:26:14 PM, on 4/12/2008
    Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\flciijjq.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\NetProject\scit.exe
    C:\Documents and Settings\All Users\Application Data\openahmf\cdwbgdqd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\NetProject\scm.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Jeremy & Tracy\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: (no name) - {7c109800-a5d5-438f-9640-18d17e168b88} - C:\Program Files\NetProject\sbmdl.dll
    O2 - BHO: (no name) - {8e5b5250-12f0-4088-9792-8d001c929379} - C:\WINDOWS\system32\jkkIAQIc.dll (file missing)
    O2 - BHO: (no name) - {a8eeb996-62aa-4e48-995d-eaddcac47476} - C:\WINDOWS\system32\jkkjGVlm.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - C:\WINDOWS\vnbptxlf.dll (file missing)
    O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [38597dec] "rundll32.exe" "C:\WINDOWS\system32\lqhgfwfm.dll",b
    O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
    O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
    O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [1L7lh2WGvJ] C:\Documents and Settings\All Users\Application Data\openahmf\cdwbgdqd.exe
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer = 85.255.114.83,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: NameServer = 85.255.114.83,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFB4A80-4435-4B3D-8D5F-CBBC3626F41A}: NameServer = 85.255.114.83,85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.83 85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer = 85.255.114.83,85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.83 85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer = 85.255.114.83,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.83 85.255.112.113
    O20 - Winlogon Notify: jkkjGVlm - jkkjGVlm.dll (file missing)
    O21 - SSODL: mgsvflkw - {BF32818D-CBD6-4E21-8AE2-2135347B6EE6} - C:\WINDOWS\mgsvflkw.dll (file missing)
    O21 - SSODL: qdnkewfa - {2DE020EF-05A8-496B-B79D-AE8D882ADACB} - C:\WINDOWS\qdnkewfa.dll (file missing)
    O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
    O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - C:\WINDOWS\system32\rkvdr.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\flciijjq.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Plug and Play (RPC) (plugplayrpc) - Unknown owner - C:\WINDOWS\winsysxe.exe (file missing)
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (webrootspysweeperservice) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 12609 bytes




    SmitFraudFix v2.312

    Scan done at 16:39:28.89, Sat 04/12/2008
    Run from
    C:\Documents and Settings\Jeremy & Tracy\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\flciijjq.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\NetProject\scit.exe
    C:\Documents and Settings\All Users\Application Data\openahmf\cdwbgdqd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\NetProject\scm.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\215651\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles






    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JEREMY~1\FAVORI~1

    C:\DOCUME~1\JEREMY~1\FAVORI~1\Online Security Test.url FOUND !
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Spyware?Malware Protection.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\akl\ FOUND !
    C:\Program Files\Helper\ FOUND !
    C:\Program Files\NetProject\ FOUND !
    C:\Program Files\VirusHeat 4.3\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri
    +--------------------------------------------------+
    [!] Suspicious: cndr32a.dll
    BHO: FLW Viewer - {2B53C730-8A79-4E13-A35F-3E41CA13E12F}
    CLSID: {2B53C730-8A79-4E13-A35F-3E41CA13E12F}
    AppID: {2B53C730-8A79-4E13-A35F-3E41CA13E12F}
    AppID: cndr32a.dll
    Classes: cndr32a.Video
    TypeLib: {74D46BBA-5638-473A-83B6-97E7804A7411}
    Interface: {48D78BE5-CFB9-4B66-9AC4-96D4CF21DE06}


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"

    [HKEY_CLASSES_ROOT\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine"

    [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 85.255.114.83
    DNS Server Search Order: 85.255.112.113

    Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

    Description: Dell TrueMobile 1180 Wireless USB Adapter - Packet Scheduler Miniport
    DNS Server Search Order: 85.255.114.83
    DNS Server Search Order: 85.255.112.113

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA431C8B-2E41-4D78-A6DA-3EB08367960A}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FEFB4A80-4435-4B3D-8D5F-CBBC3626F41A}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{AA431C8B-2E41-4D78-A6DA-3EB08367960A}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FEFB4A80-4435-4B3D-8D5F-CBBC3626F41A}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{AA431C8B-2E41-4D78-A6DA-3EB08367960A}: DhcpNameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{FEFB4A80-4435-4B3D-8D5F-CBBC3626F41A}: NameServer=85.255.114.83,85.255.112.113
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.83 85.255.112.113
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.83 85.255.112.113
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.83 85.255.112.113


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  2. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Hello and welcome to Tech Support Guy.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


    I will be back as soon as possible with your first instructions!
     
  3. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    Wow, I'm impressed! I didn't know it was quite like this at this forum site. One-on-one service, I'm excited to get started! BTW, I'm also getting the error message popup about spyware.cyberlog-x...if that means anything to you.
     
  4. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

    Step # 1:Remove one of your Anti Virus programs.

    You are operating your computer with multiple Anti Virus programs running in memory at once:

    AVG 7

    Norton


    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

    Please remove one of them.


    Step # 2: Download and Run FixWareout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Now lets check some settings on your system.

    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be available on some systems.


    Post the contents of the logfile C:\fixwareout\report.txt


    Step # 3: Boot into Safe Mode

    You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


    Step # 4 Run SmitFraudFix

    Once in Safe Mode, double-click on SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.

    The rest of the steps will be done in Normal Mode.

    Step # 5 Download CCleaner

    Download CCleaner from here to clean temp files from your computer.
    • Double click on the ccsetup.exe file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location.
    • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
    • Click Install then finish to complete installation.

    Step # 6 Retrieve the Installed Programs List from CCleaner

    Open CCleaner if it's not already running.
    In the Left Pane, click Tools
    Verify that Uninstall is highlighted in color, or click on it.
    In the lower Right, click Save to Text File.
    Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
    You can leave the filename as install.txt
    Click Save
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.


    In your next post/reply, I need to see the following:

    1. FixWareOut Report
    2. SmitFraudFix Report
    3. CCleaner Uninstall List
    4. A fresh HijackThis Log after FixWareOut and SmitFraudFix have been run.

    Use multiple posts if you can't fit everything into one post.
     
  5. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    So far have have uninstalled AVG and I already had the "obtain DNS automatically checked, and here is the log for runfixit, will work on other steps now:

    Username "Jeremy & Tracy" - 04/12/2008 18:08:38 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver"="85.255.114.83 85.255.112.113" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3C8F70DC-E623-4A4C-9F62-612CAD476879}
    "nameserver"="85.255.114.83,85.255.112.113" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}
    "nameserver"="85.255.114.83,85.255.112.113" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FEFB4A80-4435-4B3D-8D5F-CBBC3626F41A}
    "nameserver"="85.255.114.83,85.255.112.113" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9E6B299D-03AF-4C23-8680-43DDF76DD1EE}
    "DhcpNameServer"="85.255.114.83,85.255.112.113" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AA431C8B-2E41-4D78-A6DA-3EB08367960A}
    "DhcpNameServer"="85.255.114.83,85.255.112.113" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PRONoMgr.exe"="\"C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe\""
    "NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="\"nwiz.exe\" /install"
    "NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "P17Helper"="Rundll32 P17.dll,P17Helper"
    "CTSysVol"="\"C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe\" /r"
    "UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
    "REGSHAVE"="\"C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE\" /AUTORUN"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
    "RegistryMechanic"=""
    "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Weather"="\"C:\\Program Files\\AWS\\WeatherBug\\Weather.exe\" 1"
    "Uniblue SpeedUpMyPC"="C:\\Program Files\\Uniblue\\SpeedUpMyPC 3\\SpeedUpMyPC.exe -s"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~
     
  6. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    My desktop background is now missing, I guess that's a good sign? Will now work on CCleaner, here are SmitFraud and HJT logs, should be done w/ CCleaner by the time you finish reading this:

    SmitFraudFix v2.312

    Scan done at 18:20:33.40, Sat 04/12/2008
    Run from
    C:\Documents and Settings\Jeremy & Tracy\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"

    [HKEY_CLASSES_ROOT\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine"

    [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\215651\ Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Online Security Test.url Deleted
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Error Cleaner.url Deleted
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Privacy Protector.url Deleted
    C:\DOCUME~1\JEREMY~1\FAVORI~1\Spyware?Malware Protection.url Deleted
    C:\Program Files\akl\ Deleted
    C:\Program Files\Helper\ Deleted
    C:\Program Files\NetProject\ Deleted
    C:\Program Files\VirusHeat 4.3\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri
    C:\WINDOWS\cndr32a.dll deleted.


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{3C8F70DC-E623-4A4C-9F62-612CAD476879}: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 207.191.192.130 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.18 209.253.113.10 209.253.113.2 209.253.113.10 209.253.113.2 209.253.113.2


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"

    [HKEY_CLASSES_ROOT\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{65bbf06c-ea06-4818-92a3-f3550d0e1004}"="asparagine"

    [HKEY_CLASSES_ROOT\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]
    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{65bbf06c-ea06-4818-92a3-f3550d0e1004}\InProcServer32]


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Hijack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:30:18 PM, on 4/12/2008
    Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\flciijjq.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Documents and Settings\Jeremy & Tracy\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {8e5b5250-12f0-4088-9792-8d001c929379} - (no file)
    O2 - BHO: (no name) - {a8eeb996-62aa-4e48-995d-eaddcac47476} - (no file)
    O2 - BHO: (no name) - {c5af49a2-94f3-42bd-f434-2604812c897d} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - (no file)
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
    O20 - Winlogon Notify: jkkjGVlm - jkkjGVlm.dll (file missing)
    O21 - SSODL: mgsvflkw - {BF32818D-CBD6-4E21-8AE2-2135347B6EE6} - (no file)
    O21 - SSODL: qdnkewfa - {2DE020EF-05A8-496B-B79D-AE8D882ADACB} - (no file)
    O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
    O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\flciijjq.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Plug and Play (RPC) (plugplayrpc) - Unknown owner - C:\WINDOWS\winsysxe.exe (file missing)
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (webrootspysweeperservice) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 9819 bytes
     
  7. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    Adobe Acrobat 5.0
    Adobe Acrobat 8 Professional - English, Français, Deutsch
    Adobe Acrobat 8.1.2 Professional
    Adobe Flash Player ActiveX
    AIM 6
    AppCore
    Apple Mobile Device Support
    Apple Software Update
    Azureus Vuze
    Baseball Mogul 2008
    BCM V.92 56K Modem
    ccCommon
    CCleaner (remove only)
    Compatibility Pack for the 2007 Office system
    Component Framework
    Creative MediaSource 5
    Creative Software AutoUpdate
    Creative System Information
    Dell Driver Reset Tool
    DELL TrueMobile 1180 Wireless USB
    DivX Codec
    DivX Converter
    DivX Web Player
    doljp1024wp
    enchantedsk
    fantasysky2005
    FUJIFILM USB Driver
    HijackThis 2.0.2
    Image Resizer Powertoy for Windows XP
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    iTunes
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5
    LimeWire PRO 4.17.5
    LiveUpdate (Symantec Corporation)
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft XML Parser
    moonlight22
    Mozilla Firefox (2.0.0.12)
    MSN
    Nero 8
    Norton AntiVirus
    Norton AntiVirus (Symantec Corporation)
    Norton AntiVirus Help
    Norton Protection Center
    NVIDIA Drivers
    oceanb1024wp
    Pdf995 (installed by TaxCut)
    PdfEdit995 (installed by TaxCut)
    PowerISO
    QuickTime
    Registry Mechanic 7.0
    sleahdwp
    Sound Blaster Audigy
    soundsea1024wp
    SPBBC 32bit
    Spy Sweeper
    Symantec Real Time Storage Protection Component
    SymNet
    TaxCut Iowa 2007
    TaxCut Premium + State + Efile 2007
    Uniblue SpeedUpMyPC 3
    Update for Windows XP (KB942763)
    VCRedistSetup
    Viewpoint Media Player
    vistamagic
    WeatherBug
    WebFldrs XP
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    Yahoo! Browser Services
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
     
  8. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    Not getting popups, system seems to be running slightly faster, no small popup about trojan-spy.win32 message either.
     
  9. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    What was your desktop background before I had you run SmitFraudFix's option #2?




    Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.



    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    LimeWire PRO 4.17.5

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    Step # 1: Download and Install SDFix
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)


    Step # 2: Boot into Safe Mode

    You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


    Step # 3: Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log .
     
  10. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    A few questions for you: What is the below file? Who wrote these programs assisting in this process? Why don't antivirus programs work in this instance? I didn't have them installed when I got the virus, but the AV programs weren't finding all these!

    SDFix: Version 1.170
    Run by Jeremy

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :

    Name:
    zeqbqwp

    Path:
    \??\C:\WINDOWS\zeqbqwp.sys

    zeqbqwp - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File
    Restoring Default HomePage Value
    Restoring Default Desktop Components Value
    Restoring Default Schedule Service Path

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
    C:\945388~1 - Deleted
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\install.dat - Deleted
    C:\smp.bat - Deleted
    C:\WINDOWS\iTunesMusic.exe - Deleted
    C:\WINDOWS\Web\def.htm - Deleted
    C:\WINDOWS\zeqbqwp.sys - Deleted


    Could Not Remove C:\WINDOWS\system32smp



    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-13 10:54:49
    Windows 5.1.2600 Service Pack 3, v.3264 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe"="C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe:*:Enabled:ControlUtility"
    "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
    "C:\\Documents and Settings\\Jeremy & Tracy\\Local Settings\\Temp\\~os7F7.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Jeremy & Tracy\\Local Settings\\Temp\\~os7F7.tmp\\ossproxy.exe:*:Enabled:eek:ssproxy.exe"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
    "C:\\Program Files\\AWS\\WeatherBug\\Weather.exe"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe:*:Enabled:WeatherBug"
    "C:\\WINDOWS\\system32\\pzpzgq.exe"="C:\\WINDOWS\\system32\\pzpzgq.exe:*:Disabled:pzpzgq"
    "c:\\windows\\system32\\qnrb5.exe"="c:\\windows\\system32\\qnrb5.exe:*:Enabled:qnrb5"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    Remaining Files :

    C:\WINDOWS\system32smp Found

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Sun 23 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
    Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
    Sun 9 Mar 2008 5,632 A..H. --- "C:\Program Files\Sports Mogul\Baseball Mogul 2008\Encyclopedia\Thumbs.db.bak"
    Wed 23 May 2007 483,328 A..H. --- "C:\Program Files\Sports Mogul\Baseball Mogul 2008\Skins\SportsMogul\News\PBP\Thumbs.db.bak"

    Finished!
     
  11. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    If by the below file, you mean SDFix, it is a specialized program used to detect and delete malware/spyware off of someone's computer. AndyManchesta wrote, developed, and continues to update SDFix. AntiVirus programs often don't work in a lot of instances because these files aren't in their databases. The malware files are often sent to AV companies to be included in future databases, but it can take time for those files to be added to the AV company's database.

    I need to see a fresh HiJackThis Log before we can continue. :)
     
  12. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    Thank you so much for helping me through this! It's greatly appreciated. Here is the HJT log below, let me know if there's more to do!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:09:42 PM, on 4/13/2008
    Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\flciijjq.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wiaacmgr.exe
    C:\Documents and Settings\Jeremy & Tracy\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {8e5b5250-12f0-4088-9792-8d001c929379} - (no file)
    O2 - BHO: (no name) - {a8eeb996-62aa-4e48-995d-eaddcac47476} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - (no file)
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
    O20 - Winlogon Notify: jkkjGVlm - jkkjGVlm.dll (file missing)
    O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\flciijjq.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Plug and Play (RPC) (plugplayrpc) - Unknown owner - C:\WINDOWS\winsysxe.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Webroot Spy Sweeper Engine (webrootspysweeperservice) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 9243 bytes
     
  13. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Ignore this message, double post.
     
  14. km2357

    km2357

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Download and run ERUNT
    • You will be downloading ERUNT, a registry backup tool.
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note:to restore your registry, go to the folder and start ERDNT.exe

    Open Notepad!
    Copy and Paste everything from the Quote box into Notepad:

    Make sure there are NO blank lines before REGEDIT4
    Make sure there IS one blank line at the end of the file.

    Go to File > Save As
    Save File name as Fix.reg
    Change Save as Type to All Files and save the file to your desktop.

    Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.


    Step # 2: Stop some processes with Task Manager
    Press Control+Alt+Del to enter the Task Manager.
    Click on the Processes tab and end the following processes (if present):

    flciijjq.exe

    Exit the Task Manager when finished.


    Step # 3: Remove Hijackthis Entries

    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {8e5b5250-12f0-4088-9792-8d001c929379} - (no file)

      O2 - BHO: (no name) - {a8eeb996-62aa-4e48-995d-eaddcac47476} - (no file)

      O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - (no file)

      O20 - Winlogon Notify: jkkjGVlm - jkkjGVlm.dll (file missing)

      O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)

      O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\flciijjq.exe

      O23 - Service: Plug and Play (RPC) (plugplayrpc) - Unknown owner - C:\WINDOWS\winsysxe.exe (file missing)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Step # 4: Run Batchfile
    Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it delbadservice.bat Please save it on your desktop.

    Code:
    sc stop MSSysInterv1
    sc delete MSSysInterv1
    sc stop plugplayrpc
    sc delete plugplayrpc
    Double click delbadservice.bat. A window will open and close. This is normal.


    Step # 5: Deleting Files/Folders

    I need you to use Windows Explorer to delete the files I have marked in Red(if found):

    C:\WINDOWS\system32\pzpzgq.exe
    C:\windows\system32\qnrb5.exe
    C:\WINDOWS\flciijjq.exe
    C:\WINDOWS\winsysxe.exe


    Step # 6 Run CCleaner

    CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
    • Then select the items you wish to clean up.
    • In the Windows Tab:
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
    • In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO

    Step # 7 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location.
    • You can also access the log by doing the following:
    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.



    In your next reply/post, I need to see the following:

    1. The MalwareBytes' Log
    2. A fresh HiJackThis Log
     
  15. jtgoffe

    jtgoffe Thread Starter

    Joined:
    Jun 11, 2005
    Messages:
    45
    What was flciijjq.exe ?

    I wasn't able to find C:\WINDOWS\system32\pzpzgq.exe and C:\WINDOWS\winsysxe.exe, was there a reason why?

    Am I able to use the MalwareBytes program whenever I feel the need (like CCleaner?) or is it strictly to be used in these circumstances?

    I will send the logs tomorrow...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703089

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice