Anti-blaxx?

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Anti-blaxx?

Options

Keichin View Member Profile	Nov 14 2006, 11:21 PM Post #6
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	Here you go: Kyle Eichin - 06-11-14 17:15:08.29 Service Pack 2 ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Kyle Eichin\My Documents" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\ismini.exe C:\WINDOWS\system32\isnotify.exe C:\WINDOWS\system32\issearch.exe C:\Program Files\Common Files\Yazzle1162OinAdmin.exe C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\WINDOWS\system32\ixt0.dll C:\Program Files\Safety Bar C:\Program Files\winupdates C:\WINDOWS\system32\components C:\Program Files\Common Files\{3CFB2313-0AE9-1033-0126-040218200001} C:\Program Files\Common Files\{BCFB2313-0AE9-1033-0126-040218200001} ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Program Files\SEMBLY~1 C:\QooBox\Purity\Program Files\Common Files\FNTS~1 C:\QooBox\Purity\Program Files\Common Files\FNTS~1\n?tepad.exe C:\QooBox\Purity\Program Files\SEMBLY~1\msconfig.exe C:\QooBox\Purity\Program Files\SEMBLY~1\??sembly C:\QooBox\Purity\WINDOWS\CURITY~1 ((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 )))))))))))))))))))))))))))))))))) 2006-11-13 16:08 699,661 ---hs---- C:\WINDOWS\system32\cccdd.ini2 2006-11-11 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2006-11-10 00:23 110,612 --a--c--- C:\WINDOWS\system32\ctqwfxhs.exe 2006-11-10 00:22 764,241 ---hs---- C:\WINDOWS\system32\cccdd.bak2 2006-11-05 19:02 110,612 --a------ C:\WINDOWS\system32\ivxiulii.exe 2006-11-05 19:01 752,271 ---hs---- C:\WINDOWS\system32\cccdd.bak1 2006-11-05 18:59 692,276 ---hs---- C:\WINDOWS\system32\ddccc.dll 2006-11-05 18:44 106,496 --a------ C:\WINDOWS\system32\impgsje.dll 2006-11-05 18:40 2 --a------ C:\WINDOWS\system32\wtssvit.exe 2006-11-05 18:38 94,208 --a------ C:\WINDOWS\system32\ugugpqj.dll 2006-11-05 18:38 72,704 --a------ C:\WINDOWS\system32\lexjpbc.dll 2006-11-05 18:37 59,392 --a------ C:\WINDOWS\system32\drvsot.dll 2006-11-05 18:37 40,973 ---hs---- C:\WINDOWS\system32\ddcbyxx.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-11-14 19:01 -------- d-a------ C:\Program Files\Common Files 2006-11-13 16:06 -------- d-------- C:\Program Files\VSAdd-in 2006-11-11 21:32 -------- d-------- C:\Program Files\VirusBursters 2006-11-11 20:20 -------- d-------- C:\Program Files\Grisoft 2006-11-11 12:03 -------- d-------- C:\Program Files\Mozilla Firefox 2006-11-05 19:04 -------- d-------- C:\Documents and Settings\Kyle Eichin\Application Data\SearchToolbarCorp 2006-11-05 18:39 -------- d-------- C:\Documents and Settings\Kyle Eichin\Application Data\Google 2006-10-29 13:26 -------- d-------- C:\Program Files\Google 2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll 2006-09-03 22:18 126 --a------ C:\Documents and Settings\Kyle Eichin\Application Data\iScrobbler.ini 2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll 2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Osus"="\"C:\\PROGRA~1\\SEMBLY~1\\msconfig.exe\" -vt yazb" "Abnlfa"="C:\\Program Files\\Common Files\\F?nts\\n?tepad.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TPSMain"="TPSMain.exe" "TPP Auto Loader"="C:\\WINDOWS\\tppaldr.exe" "TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "TFNF5"="TFNF5.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsot.dll,startup" "ugugpqj.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ugugpqj.dll,wwhrmed" "VirusBursters"="C:\\Program Files\\VirusBursters\\virusbursters.exe /h" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}"="archenteric" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{6809e580-a3a7-11d1-9a00-00a0c945b006}"="GoBack Shell Extension" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"=dword:00000001 "AllowUnhashedWebView"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "issearch.exe"="issearch.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" "archenteric"="{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: 06-11-14 20:13:59.89 C:\ComboFix.txt ... 06-11-14 20:13

Buckeye_Sam View Member Profile	Nov 15 2006, 06:05 PM Post #7
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	You've got some troublemakers still showing up in your log. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt even if Vundofix found no infected files. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Also post a new hijackthis log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]

Keichin View Member Profile	Nov 15 2006, 11:30 PM Post #8
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	I ran Spybot early this morning and Found 110 errors. Is it OK to fix? Never mind, I'll just run VundoFix, post the logs, etc. I can always run it again later. I'm interested to know the answer, though.

Buckeye_Sam View Member Profile	Nov 16 2006, 05:18 PM Post #9
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	It won't hurt to let Spybot fix whatever it found, but Spybot alone won't be able to clean you up. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]

Keichin View Member Profile	Nov 17 2006, 05:40 AM Post #10
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	I'm ecstatic to report that after 29 hours of running VundoFix, Windows felt compelled to restart upon completion of an automatic update. I suppose I'll start over (edit: as soon as it finishes a second round of updates). This post has been edited by Keichin: Nov 17 2006, 06:12 AM

Buckeye_Sam View Member Profile	Nov 17 2006, 09:09 AM Post #11
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Oh no. Vundofix shouldn't take any where near that long. Check to see if it created a log here - C:\vundofix.txt If so, post it in your next reply. Also post a new hijackthis log. We'll work around Vundofix if it's not getting it done for us. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]

Keichin View Member Profile	Nov 18 2006, 12:10 AM Post #12
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	Not a problem. It seems like cleaning house with spybot freed up some system resources. VundoFix is done.3 VundoFix V6.2.8 Checking Java version... Java version is 1.5.0.2 Java version is 1.5.0.6 Scan started at 12:00:11 AM 11/16/2006 Listing files found while scanning.... VundoFix V6.2.8 Checking Java version... Java version is 1.5.0.2 Java version is 1.5.0.6 Scan started at 5:59:14 PM 11/17/2006 Listing files found while scanning.... C:\WINDOWS\system32\lexjpbc.dll C:\WINDOWS\system32\ugugpqj.dll C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\cccdd.ini C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.tmp Beginning removal... Attempting to delete C:\WINDOWS\system32\lexjpbc.dll C:\WINDOWS\system32\lexjpbc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ugugpqj.dll C:\WINDOWS\system32\ugugpqj.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ddccc.dll C:\WINDOWS\system32\ddccc.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.ini C:\WINDOWS\system32\cccdd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.bak1 C:\WINDOWS\system32\cccdd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.bak2 C:\WINDOWS\system32\cccdd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.ini2 C:\WINDOWS\system32\cccdd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\cccdd.tmp C:\WINDOWS\system32\cccdd.tmp Has been deleted! Performing Repairs to the registry. Done! And the new HJT log Logfile of HijackThis v1.99.1 Scan saved at 11:42:27 PM, on 11/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\AliasWavefront Shared\Licensing\etc\lmgrd.exe C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\Program Files\Common Files\AliasWavefront Shared\Licensing\etc\sgiawd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Intuit\DatabaseServer\QBPOSDBService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgrN.exe C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgrN.exe C:\WINDOWS\System32\svchost.exe c:\toshiba\ivp\swupdate\swupdtmr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\tppaldr.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\VirusBursters\virusbursters.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\DOCUME~1\KYLEEI~1\APPLIC~1\SCURIT~1\winspool.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Roxio\GoBack\GBTray.exe C:\WINDOWS\system32\TWarnMsg.exe C:\Documents and Settings\Kyle Eichin\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {ACEE7CED-CC50-EEDC-7C03-C889195E64EE} - C:\WINDOWS\system32\gkmyx.dll (file missing) R3 - URLSearchHook: (no name) - {ADBE25BE-C97E-908F-7870-C3891028319D} - C:\WINDOWS\system32\bavpq.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {03464E23-3F17-177C-65CB-0B56358620B3} - C:\WINDOWS\system32\lexjpbc.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1808648B-3102-4293-8AD3-06AF71D3321B} - (no file) O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {AA1A3D49-8E8D-822C-DDDA-D928EA0733C8} - C:\WINDOWS\system32\jxcki.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {ACEE7CED-CC50-EEDC-7C03-C889195E64EE} - C:\WINDOWS\system32\gkmyx.dll (file missing) O2 - BHO: (no name) - {ADBE25BE-C97E-908F-7870-C3891028319D} - C:\WINDOWS\system32\bavpq.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {C6B4D2B6-1D76-446A-B99D-D8550C9C419A} - C:\WINDOWS\system32\ddccc.dll (file missing) O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\kvcixrby.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsot.dll,startup O4 - HKLM\..\Run: [ugugpqj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ugugpqj.dll,wwhrmed O4 - HKLM\..\Run: [VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\KYLEEI~1\APPLIC~1\SCURIT~1\winspool.exe" -vt ndrv O4 - HKCU\..\Run: [Abnlfa] C:\Program Files\Common Files\F?nts\n?tepad.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0020.exe O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gemas.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winlig32 - winlig32.dll (file missing) O21 - SSODL: archenteric - {d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3} - C:\WINDOWS\system32\impgsje.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: FLEXlm License Manager - Macrovision Corporation - C:\Program Files\Common Files\AliasWavefront Shared\Licensing\etc\lmgrd.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe O23 - Service: QBPOS Database Manager (QBPOSDBServices) - Intuit Inc. - C:\Program Files\Common Files\Intuit\DatabaseServer\QBPOSDBService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) Thanks for all the help. I'm truly excited we've been able ot come this far!! I'm in the process of starting a Panda ActiveScan. I'll let you know how it goes.

Buckeye_Sam View Member Profile	Nov 18 2006, 09:43 AM Post #13
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	We are definitely making progess, but from the looks of your log we're not quite done yet. Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {ACEE7CED-CC50-EEDC-7C03-C889195E64EE} - C:\WINDOWS\system32\gkmyx.dll (file missing) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {03464E23-3F17-177C-65CB-0B56358620B3} - C:\WINDOWS\system32\lexjpbc.dll (file missing) O2 - BHO: (no name) - {1808648B-3102-4293-8AD3-06AF71D3321B} - (no file) O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O2 - BHO: (no name) - {AA1A3D49-8E8D-822C-DDDA-D928EA0733C8} - C:\WINDOWS\system32\jxcki.dll (file missing) O2 - BHO: (no name) - {ACEE7CED-CC50-EEDC-7C03-C889195E64EE} - C:\WINDOWS\system32\gkmyx.dll (file missing) O2 - BHO: (no name) - {C6B4D2B6-1D76-446A-B99D-D8550C9C419A} - C:\WINDOWS\system32\ddccc.dll (file missing) O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\kvcixrby.dll (file missing) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [ugugpqj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ugugpqj.dll,wwhrmed O4 - HKLM\..\Run: [VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\KYLEEI~1\APPLIC~1\SCURIT~1\winspool.exe" -vt ndrv O4 - HKCU\..\Run: [Abnlfa] C:\Program Files\Common Files\F?nts\n?tepad.exe O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0020.exe O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gemas.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab O20 - Winlogon Notify: winlig32 - winlig32.dll (file missing) Reboot your computer. Download SmitfraudFix (by S!Ri) to your Desktop. Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]

Keichin View Member Profile	Nov 18 2006, 11:03 PM Post #14
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	Fixed the HijackThis issues without problem. Here's the SmitFraudFix log: SmitFraudFix v2.122 Scan done at 22:25:10.95, Sat 11/18/2006 Run from C:\Documents and Settings\Kyle Eichin\My Documents\smitfraud\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\impgsje.dll FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kyle Eichin »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kyle Eichin\Application Data C:\Documents and Settings\Kyle Eichin\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusBursters 6.2.lnk FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\KYLEEI~1\STARTM~1\VirusBursters 6.2.lnk FOUND ! C:\DOCUME~1\KYLEEI~1\STARTM~1\Programs\VirusBursters FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KYLEEI~1\FAVORI~1 C:\DOCUME~1\KYLEEI~1\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\VirusBursters\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}"="archenteric" [HKEY_CLASSES_ROOT\CLSID\{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}\InProcServer32] @="C:\WINDOWS\system32\impgsje.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3}\InProcServer32] @="C:\WINDOWS\system32\impgsje.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Thanks!

Buckeye_Sam View Member Profile	Nov 19 2006, 11:56 AM Post #15
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Ok, now let's clean it up. Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. 1. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. 2. Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. 3. Clean out your Temporary Internet files Internet Explorer Close Internet Explorer and close any instances of Windows Explorer. Click Start -> Control Panel and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Firefox (In case you also have Firefox installed) Open Firefox and go to Tools -> Options. Click Privacy in the menu on the left side of the Options window. Click the Clear button located to the right of each option (History, Cookies, Cache). Click OK to close the Options window. Alternatively, you can clear all information stored while browsing by clicking Clear All. A confirmation dialog box will be shown before clearing the information. 4. Next Click Start -> Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you may see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. 5. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. 6. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". Ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware. 7. Reboot back into Normal Windows Mode 8. Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. 9. Please post the following logs: C:\rapport.txt AVG Anti-Spyware log A new HijackThis log You may need several replies to post the requested logs, otherwise they might get cut off. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]

Keichin View Member Profile	Nov 19 2006, 09:17 PM Post #16
Member Group: Members Posts: 46 Joined: 12-November 06 Member No.: 95,168	Is there a problem with me cleaning my temporary internet files in normal mode? I'm in safe mode right now and all it does is open a skewed ghost of a window.

Buckeye_Sam View Member Profile	Nov 20 2006, 07:51 PM Post #17
Malware Expert Group: HJT Team Posts: 10,301 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	It's generally more successful in safe mode, but if that step is a problem right now just skip it. We'll come back and clean up temp files later. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. [ Start Here ] [ Adaware 2008 ] [ Spybot ] [ AVG Antivirus ] [ Superantispyware ] [ MalwareBytes ] [ Spyware Blaster ] [ Windows Update ] [ How to install Windows XP Recovery Console ]