Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Task Manager Button Is Greyed Out And I Have Spanads Popping Up For Spyware Downloads.


  • This topic is locked This topic is locked
4 replies to this topic

#1 rickbigdog

rickbigdog

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 07 March 2008 - 04:12 PM

Am getting constant pop ups requesting download spyware fixing software. Also Taskmanager button is greyed out but the window does load with cntl-alt-delete. Have run anti spyware scan and anti virus scan (AVG free version). Was recommended to run combofix and post log here. The log is posted below. I cannot seem to get rid of this bug. I have run VundoFix without result. I hope you can assist using this log and/or offer further help. My thanks.

ComboFix 08-03-03.15 - Rick Holsten (Dad) 2008-03-05 17:52:07.2 - FAT32x86 MINIMAL
Running from: C:\Documents and Settings\Rick Holsten (Dad)\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section not completed

((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 17:39 . 2008-03-05 17:39 <DIR> d-------- C:\Program Files\p2pnetworks
2008-03-03 21:02 . 2008-03-03 21:02 <DIR> d-------- C:\Program Files\amsys
2008-03-03 21:02 . 2008-03-03 21:03 32,000 --a------ C:\WINDOWS\kvnab.dll
2008-03-03 21:02 . 2008-03-03 21:02 28,928 --a------ C:\WINDOWS\wbeInst$.exe
2008-03-03 21:02 . 2008-03-03 21:02 24,832 --a------ C:\WINDOWS\kvnab$.exe
2008-03-03 21:02 . 2008-03-03 21:02 18,688 --a------ C:\WINDOWS\kvnab.exe
2008-03-03 21:02 . 2008-03-03 21:02 11,264 --a------ C:\WINDOWS\7search.dll
2008-03-03 20:26 . 2008-03-03 20:26 31,744 --a------ C:\WINDOWS\xadbrk.dll
2008-03-03 20:26 . 2008-03-03 21:01 31,488 --a------ C:\WINDOWS\pbsysie.dll
2008-03-03 20:26 . 2008-03-03 20:26 25,344 --a------ C:\WINDOWS\kkcomp.dll
2008-03-03 20:26 . 2008-03-03 20:26 24,576 --a------ C:\WINDOWS\wbeCheck.exe
2008-03-03 20:26 . 2008-03-03 20:26 23,552 --a------ C:\WINDOWS\liqad.dll
2008-03-03 20:26 . 2008-03-03 20:26 19,968 --a------ C:\WINDOWS\liqui.dll
2008-03-03 20:25 . 2008-03-03 20:26 <DIR> d-------- C:\Program Files\3721
2008-03-03 20:23 . 2008-03-03 20:24 <DIR> d-------- C:\Program Files\Accoona
2008-03-02 09:15 . 2008-03-02 09:15 <DIR> d-------- C:\Program Files\e-zshopper
2008-03-02 09:14 . 2008-03-02 09:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2008-03-02 09:14 . 2008-03-02 09:14 <DIR> d-------- C:\Program Files\akl
2008-03-02 09:12 . 2008-03-05 17:52 1,856 --a------ C:\WINDOWS\default.htm
2008-03-02 09:04 . 2008-03-02 09:04 3,802,742 --a------ C:\WINDOWS\kbbB2O04Fy.exe
2008-03-02 09:03 . 2008-03-02 09:03 <DIR> d-------- C:\WINDOWS\PerfInfo
2008-03-02 09:03 . 2008-03-02 09:03 <DIR> d-------- C:\WINDOWS\gdhlodju
2008-03-02 09:03 . 2008-03-02 09:03 194,048 --a------ C:\WINDOWS\xmfexubk.dll
2008-03-02 09:03 . 2008-03-02 09:03 89,105 --a------ C:\WINDOWS\czirmdur.exe
2008-03-02 09:03 . 2008-03-02 09:03 45,568 --a------ C:\WINDOWS\letchqpc.exe
2008-03-02 09:03 . 2008-03-02 09:03 4 --a------ C:\WINDOWS\SYSTEM32\winfrun32.bin
2008-03-02 09:02 . 2008-03-02 09:02 89,099 --a------ C:\WINDOWS\SYSTEM32\mgmrwmrv.exe
2008-03-01 10:56 . 2008-03-01 10:56 278,793 --a------ C:\WINDOWS\SYSTEM32\000070.exe
2008-02-26 20:35 . 2008-02-26 20:35 <DIR> d-------- C:\Program Files\QdrPack
2008-02-23 07:41 . 2008-02-23 07:42 <DIR> d-------- C:\Program Files\QdrModule
2008-02-23 07:41 . 2008-02-23 07:41 <DIR> d-------- C:\Program Files\QdrDrive
2008-02-23 07:41 . 2008-02-23 07:41 <DIR> d-------- C:\Program Files\ISM
2008-02-23 07:41 . 2008-02-23 07:41 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-02-23 07:41 . 2008-02-23 07:41 401 --a------ C:\WINDOWS\SYSTEM32\L84EC.tmp
2008-02-23 07:40 . 2008-02-23 07:41 278,793 --a------ C:\WINDOWS\SYSTEM32\LE642.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 14:14 8,960 ----a-w C:\WINDOWS\xxxvideo.exe
2008-01-27 16:16 --------- d-----w C:\Documents and Settings\Rick Holsten (Dad)\Application Data\Grisoft
2008-01-27 13:33 276,883 --sha-w C:\WINDOWS\SYSTEM32\vycdd.ini2
2008-01-27 13:21 --------- d-----w C:\Documents and Settings\Rick Holsten (Dad)\Application Data\AVG7
2008-01-27 13:18 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-01-27 13:18 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-01-09 19:54 512 ----a-w C:\ScanSectorLog.dat
2004-12-06 04:15 27,592 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2001-10-16 19:44 726,306 ----a-w C:\Program Files\DivX4FullInstaller.exe
2001-08-31 03:38 740 ----a-w C:\Program Files\INSTALL.LOG
2001-08-14 22:43 10,236,296 ----a-w C:\Program Files\rp500enu.exe
2000-06-20 21:37 271 --sh--w C:\Program Files\desktop.ini
2000-06-20 21:37 23,357 ---h--w C:\Program Files\folder.htt
2007-05-05 17:22 526,357 --sha-w C:\WINDOWS\SYSTEM32\nmnpo.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1646CEDC-75F1-4F90-A4E9-44AD678EC6C3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D23C2C4-861B-4E10-8D55-89DE3F47E617}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5605D75C-F7CE-4393-9994-7DB250AE2E1B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FEF3FFF-301C-48AC-8A6D-6A206E587D67}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E5E2FF-9260-4d88-B0C6-7CC358C5D418}]
2008-02-22 08:51 172032 --a------ C:\Program Files\QdrDrive\QdrDrive11.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b62c709-3def-4372-bc5e-6a2bd8ea1e39}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule13"="C:\Program Files\QdrModule\QdrModule13.exe" [2008-02-22 12:37 372736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 09:08 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 08:18 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSNPluginSrvcs"="p6.exe" []
"MDN"="MDNS.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsRegKey%update"="ethernet32m.exe" []
"MDN"="MDNS.exe" []
"MSNPluginSrvcs"="p6.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 08:18 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"kbbB2O04Fy"= rundll32.exe "C:\WINDOWS\xmfexubk.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {ab5f9e6d-f08c-40dc-b075-dbb73d7ed289} - C:\WINDOWS\Installer\{ab5f9e6d-f08c-40dc-b075-dbb73d7ed289}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrwq32]
winrwq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwgz32]
winwgz32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvtus]
wvuvtus.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\ddcyv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
C:\Program Files\Internet Optimizer\optimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 2200 Series]
--a------ 2004-02-13 09:08 57344 C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDN]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-03-05 11:20 1462544 C:\PROGRA~1\MESSEN~1\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNPluginSrvcs]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-12-25 13:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
c:\temp\salm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp Organizer]
C:\Program Files\StartUp Organizer\so.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\voror]
C:\WINDOWS\voror.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardClnt"=2 (0x2)
"LexBceS"=3 (0x3)
"Compaq_RBA"=3 (0x3)
"WZCSVC"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"CpqBootPerfDb"=C:\Cpqs\Scom\CpqBootPerfDb.exe
"CPQINET"=c:\compaq\CPQInet\CpqInet.exe
"3e121659"=rundll32.exe "C:\WINDOWS\System32\qoyrtaep.dll",b
"fmvuxkrc"=rundll32.exe "C:\Program Files\jitspupq\lejcralq.dll",Init
"io43mvuiw4kj"=C:\WINDOWS\io43mvuiw4kj.exe
"otwrahkr"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\otwrahkr.dll"
"wpwzuliv"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wpwzuliv.dll"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Hidserv"=Hidserv.exe run
"WCOLOREAL"=C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
"BCMDMMSG"=BCMDMMSG.exe
"LexStart"=Lexstart.exe
"LexmarkPrinTray"=PrinTray.exe
"Dimension4"=C:\PROGRAM FILES\DIMENSION\D4.EXE
"vptray"=C:\Program Files\Norton AntiVirus\vptray.exe
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"LimeShop"=wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Compaq_RBA"=C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE

S2 DomainService;DomainService;C:\WINDOWS\System32\pfnqhahx.exe []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\System32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 12:10]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]
S3 viz2000;Visioneer USB Kernel V2.0;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13:53]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\System32\DRIVERS\zd1211Bu.sys [2005-10-28 11:38]
S4 SCardClnt;Smart Card Client;C:\WINDOWS\System32\SCardClnt.exe []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 17:52:50
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 17:54:28
ComboFix-quarantined-files.txt 2008-03-05 22:54:22
ComboFix2.txt 2007-12-22 03:04:16
.
2007-09-13 19:25:37 --- E O F ---


Can someone help and diagnose????????
Rick H.

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 07 March 2008 - 05:51 PM

Hello rickbigdog

Was recommended to run combofix and post log here.



Who recommend that you run ComboFix?
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


You ran ComboFix incorrectly by not installing Recovery Console :thumbsup:




NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 07 March 2008 - 05:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rickbigdog

rickbigdog
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 14 March 2008 - 03:35 PM

Thank you SiFuMike
My pop ups have stopped with the Smitfraud fix.
I ran Hijakthis and listing the log file below as you requested. Cannot load Recovery console. Here is file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:27 PM, on 3/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lexbces.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QdrModule\QdrModule13.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rick Holsten (Dad)\Desktop\Utilities\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...C01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://portal.mailaka.net/"); (C:\Program Files\Netscape\Users\jholsten\prefs.js)
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {1646CEDC-75F1-4F90-A4E9-44AD678EC6C3} - (no file)
O2 - BHO: (no name) - {1D23C2C4-861B-4E10-8D55-89DE3F47E617} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5605D75C-F7CE-4393-9994-7DB250AE2E1B} - \
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6FEF3FFF-301C-48AC-8A6D-6A206E587D67} - \
O2 - BHO: BndAero6 IE Helper - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - C:\Program Files\QdrDrive\QdrDrive11.dll
O2 - BHO: {93e1ae8d-b2a6-e5cb-2734-fed3907c26b9} - {9b62c709-3def-4372-bc5e-6a2bd8ea1e39} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKLM\..\RunServices: [MDN] MDNS.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKLM\..\Policies\Explorer\Run: [kbbB2O04Fy] rundll32.exe "C:\WINDOWS\xmfexubk.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [WindowsRegKey%update] ethernet32m.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WindowsRegKey%update] ethernet32m.exe (User 'Default user')
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usa.dce.usps.gov,usps.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usa.dce.usps.gov,usps.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usa.dce.usps.gov,usps.gov
O20 - Winlogon Notify: winrwq32 - winrwq32.dll (file missing)
O20 - Winlogon Notify: winwgz32 - winwgz32.dll (file missing)
O20 - Winlogon Notify: wvuvtus - wvuvtus.dll (file missing)
O21 - SSODL: zip - {ab5f9e6d-f08c-40dc-b075-dbb73d7ed289} - C:\WINDOWS\Installer\{ab5f9e6d-f08c-40dc-b075-dbb73d7ed289}\zip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\pfnqhahx.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\System32\lexbces.exe

--
End of file - 7345 bytes


thank you in advance for your help......... it has been a big help so far!!!!!!!
Rick H.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 14 March 2008 - 03:57 PM

Hi Rick,

My pop ups have stopped with the Smitfraud fix.


That is great news. :thumbsup: But your computer is still infected.

I ran Hijakthis and listing the log file below as you requested. Cannot load Recovery console


Please post the SmitfraudFix report. You can find it a C:\rapport

Why you cant you load Recovery Console?

Is this a company or business computer?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:33 PM

Posted 20 March 2008 - 08:13 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users