Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888


  • This topic is locked This topic is locked
9 replies to this topic

#1 mnyquist

mnyquist

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Marquette, MI
  • Local time:11:03 AM

Posted 12 June 2007 - 12:21 AM

First, let me say that this website has been a godsend for me, and usually I can find any help I need just by trolling around, but this time I'm stumped.

Spybot SD keeps showing me that I have smitfraud-C.Toolbar888. When I tell it to clear the selections, or whatever it says that it deletes it, but I keep getting pop ups, and when I run Spybot again, it's back. I've tried running R!si's Smitfraudfix, and it also says that it fixes the problem, but it still comes back!

Here's my Hijack log:




Logfile of HijackThis v1.99.1
Scan saved at 1:01:04 AM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\LiveProtect\LiveProtect.exe
C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe
C:\WINDOWS\TEMP\1151843.exe
C:\WINDOWS\smgr.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\PROGRA~1\RACLE~1\mmc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\?asks\w?nword.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\God\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {0662f783-bec2-409d-bb3d-5e748376dab6} - C:\WINDOWS\system32\ypnytjr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\tuvwwxv.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C50E426E-DEA9-DA20-DF0D-8CADDD9272E7} - C:\WINDOWS\system32\cahwmkay.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\kfgxexyx.dll (file missing)
O2 - BHO: (no name) - {EA3DE5F2-BEFE-4024-86F8-721C2A2076E4} - C:\WINDOWS\system32\mlljk.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [LiveProtect] "C:\Program Files\LiveProtect\LiveProtect.exe" -h
O4 - HKLM\..\Run: [gbgdotoh.exe] C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\1151843.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKCU\..\Run: [Osrm] "C:\PROGRA~1\RACLE~1\mmc.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----


Thanks in advance!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 12 June 2007 - 05:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mnyquist :thumbsup:

First please delete:
C:\Documents and Settings\God\Desktop\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

****************************

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\SYSTEM32\winmxw32.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


****************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT:*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 mnyquist

mnyquist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Marquette, MI
  • Local time:11:03 AM

Posted 12 June 2007 - 11:35 PM

Ok, here it goes:

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:28:49 AM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\LiveProtect\LiveProtect.exe
C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\God\Desktop\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {0662f783-bec2-409d-bb3d-5e748376dab6} - C:\WINDOWS\system32\ypnytjr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C50E426E-DEA9-DA20-DF0D-8CADDD9272E7} - C:\WINDOWS\system32\cahwmkay.dll
O2 - BHO: (no name) - {EA3DE5F2-BEFE-4024-86F8-721C2A2076E4} - C:\WINDOWS\system32\mlljk.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [LiveProtect] "C:\Program Files\LiveProtect\LiveProtect.exe" -h
O4 - HKLM\..\Run: [gbgdotoh.exe] C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKCU\..\Run: [Osrm] "C:\PROGRA~1\RACLE~1\mmc.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

----

Here's Vundotxt report:


VundoFix V6.5.0

Checking Java version...

Scan started at 7:15:38 PM 6/11/2007

Listing files found while scanning....

C:\windows\system32\awtqpmj.dll
C:\windows\system32\ddcyvtu.dll
C:\windows\system32\faomdkuq.ini
C:\windows\system32\iifdedc.dll
C:\windows\system32\kfgxexyx.dll
C:\windows\system32\khfcdca.dll
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.ini
C:\windows\system32\ljjgdcd.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\qukdmoaf.dll
C:\windows\system32\vcunlquc.exe

Beginning removal...

Attempting to delete C:\windows\system32\awtqpmj.dll
C:\windows\system32\awtqpmj.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcyvtu.dll
C:\windows\system32\ddcyvtu.dll Has been deleted!

Attempting to delete C:\windows\system32\faomdkuq.ini
C:\windows\system32\faomdkuq.ini Has been deleted!

Attempting to delete C:\windows\system32\iifdedc.dll
C:\windows\system32\iifdedc.dll Has been deleted!

Attempting to delete C:\windows\system32\kfgxexyx.dll
C:\windows\system32\kfgxexyx.dll Has been deleted!

Attempting to delete C:\windows\system32\khfcdca.dll
C:\windows\system32\khfcdca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini Has been deleted!

Attempting to delete C:\windows\system32\ljjgdcd.dll
C:\windows\system32\ljjgdcd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mlljk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qukdmoaf.dll
C:\WINDOWS\system32\qukdmoaf.dll Has been deleted!

Attempting to delete C:\windows\system32\vcunlquc.exe
C:\windows\system32\vcunlquc.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\ljjgdcd.dll
C:\windows\system32\ljjgdcd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Scan started at 7:36:16 PM 6/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Scan started at 8:50:21 PM 6/11/2007

Listing files found while scanning....

C:\windows\system32\tuvwwxv.dll

Beginning removal...

Attempting to delete C:\windows\system32\tuvwwxv.dll
C:\windows\system32\tuvwwxv.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Scan started at 12:44:23 AM 6/12/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.0

Checking Java version...

Scan started at 1:40:35 AM 6/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.tmp
C:\windows\system32\xxyxyaa.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\xxyxyaa.dll
C:\windows\system32\xxyxyaa.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Scan started at 11:39:25 PM 6/12/2007

Listing files found while scanning....


VundoFix V6.5.0

Checking Java version...

Scan started at 11:47:23 PM 6/12/2007

Listing files found while scanning....

C:\windows\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\windows\system32\gebxvwu.dll
C:\WINDOWS\system32\geedc.dll

Beginning removal...

Attempting to delete C:\windows\system32\cdeeg.bak1
C:\windows\system32\cdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\windows\system32\gebxvwu.dll
C:\windows\system32\gebxvwu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!

Performing Repairs to the registry.
Done!

-----


Here's ComboFix:

ComboFix 07-06-13.3 - C:\Documents and Settings\God\Desktop\ComboFix.exe
"God" - 2007-06-13 0:03:39 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mnminqun.dll
C:\WINDOWS\system32\nuqnimnm.ini
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\asks~1
C:\Program Files\asks~1\w?nword.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\racle~1
C:\Program Files\racle~1\mmc.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 00:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-12 23:45 <DIR> d-------- C:\!KillBox
2007-06-12 13:07 93,696 --a------ C:\WINDOWS\system32\drvtop.dll
2007-06-12 02:04 263,220 --a------ C:\WINDOWS\system32\ssqpp.dll.vir
2007-06-12 01:59 33,302 --a------ C:\WINDOWS\system32\tuvvvwv.dll.vir
2007-06-11 19:15 <DIR> d-------- C:\VundoFix Backups
2007-06-11 17:23 3,418 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-11 17:16 <DIR> d-------- C:\WINDOWS\pss
2007-06-11 16:15 60,928 --a------ C:\WINDOWS\system32\cahwmkay.dll
2007-06-11 16:15 2 --a------ C:\WINDOWS\system32\wapiisv.exe
2007-06-11 01:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-11 01:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 00:49 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-11 00:48 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gbgdotoh.exe
2007-06-11 00:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-10 23:54 754,808 --a------ C:\WINDOWS\system32\LiveProtectSetup.exe
2007-06-10 23:54 <DIR> d-------- C:\Program Files\LiveProtect
2007-06-10 23:44 48,128 --a------ C:\bsgvjmep.exe
2007-06-10 23:43 1,536 --a------ C:\wyjgsa.exe
2007-06-10 23:31 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Leadertech
2007-06-10 23:18 <DIR> d-------- C:\NeverwinterNights
2007-06-10 14:48 172,544 --a------ C:\WINDOWS\system32\ypnytjr.dll
2007-06-10 14:48 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 14:48 <DIR> d-------- C:\WINDOWS\system32\T7QaSQ
2007-06-10 14:48 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-10 14:48 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-10 14:48 <DIR> d-------- C:\Temp\x2b
2007-06-10 14:48 <DIR> d-------- C:\Temp
2007-06-10 14:45 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\WinRAR
2007-06-10 04:48 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-10 04:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-06-10 04:46 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-10 04:46 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-10 04:23 1,286 --a------ C:\WINDOWS\mozver.dat
2007-06-10 04:01 <DIR> d-------- C:\Program Files\Steam
2007-06-10 03:55 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-10 03:55 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\vlc
2007-06-10 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-10 03:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-10 00:49 <DIR> d-------- C:\Program Files\THQ
2007-06-10 00:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-10 00:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 00:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-09 23:15 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-09 22:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-09 19:57 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-06-09 19:55 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-06-09 19:55 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-06-09 19:55 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-06-09 19:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-09 19:55 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-09 19:55 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-06-09 19:55 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-09 19:55 <DIR> d-------- C:\Program Files\Ahead
2007-06-09 19:47 205,312 -ra------ C:\WINDOWS\patchw32.dll
2007-06-09 19:46 205,312 -ra------ C:\WINDOWS\pw32a.dll
2007-06-09 19:46 <DIR> d-------- C:\Program Files\SymNetDrv
2007-06-09 19:31 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-09 19:31 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-06-09 19:31 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-06-09 19:31 <DIR> d-------- C:\Program Files\Symantec
2007-06-09 19:31 <DIR> d-------- C:\Program Files\Norton SystemWorks
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Symantec
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-06-09 19:30 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-09 19:04 <DIR> d-------- C:\Program Files\Azureus
2007-06-09 18:42 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-09 18:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-09 18:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-09 18:39 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Azureus
2007-06-09 18:24 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Apple Computer
2007-06-09 18:23 <DIR> d-------- C:\Program Files\QuickTime
2007-06-09 18:23 <DIR> d-------- C:\Program Files\iTunes
2007-06-09 18:23 <DIR> d-------- C:\Program Files\iPod
2007-06-09 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-09 18:17 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\uTorrent
2007-06-09 17:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-09 17:41 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-06-09 17:41 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-09 15:57 <DIR> d--hs---- C:\RECYCLER
2007-06-09 15:56 <DIR> d-------- C:\Program Files\AIM Lite
2007-06-09 15:56 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\LAIM
2007-06-09 15:56 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\acccore
2007-06-09 15:55 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 05:50:30 -------- d-----w C:\Program Files\Messenger
2007-06-11 03:22:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-28 22:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 22:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0662f783-bec2-409d-bb3d-5e748376dab6}=C:\WINDOWS\system32\ypnytjr.dll [2007-06-10 14:48]
{4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F}=C:\WINDOWS\system32\geedc.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]
{C50E426E-DEA9-DA20-DF0D-8CADDD9272E7}=C:\WINDOWS\system32\cahwmkay.dll [2007-05-21 09:59]
{EA3DE5F2-BEFE-4024-86F8-721C2A2076E4}=C:\WINDOWS\system32\mlljk.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 15:44 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 22:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 22:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"@"="" []
"Norton Ghost 9.0"="C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-11-22 17:20]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-09 19:46]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"LiveProtect"="C:\Program Files\LiveProtect\LiveProtect.exe" [2007-06-10 08:05]
"gbgdotoh.exe"="C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe" [2007-06-11 00:48]
"laim"="C:\Program Files\AIM Lite\aimlite.exe" [2007-06-07 13:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Osrm"="C:\PROGRA~1\RACLE~1\mmc.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmxw32]
winmxw32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc


Contents of the 'Scheduled Tasks' folder
2007-06-09 23:41:08 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - God.job
2007-06-09 23:32:19 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-06-13 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 00:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-13 0:16:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-13 00:16

--- E O F ---


-----

And the Smitfraud report:

SmitFraudFix v2.195

Scan done at 0:27:18.68, Wed 06/13/2007
Run from C:\Documents and Settings\God\Desktop\Malware cleanup\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA51CCEA-EDFE-4365-A3CA-89965748B9BE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AA51CCEA-EDFE-4365-A3CA-89965748B9BE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AA51CCEA-EDFE-4365-A3CA-89965748B9BE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


----



Thanks again!

Edited by mnyquist, 12 June 2007 - 11:36 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 13 June 2007 - 01:37 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: ComboFix-Do.txt to your desktop.

File::
C:\WINDOWS\system32\drvtop.dll
C:\WINDOWS\system32\ssqpp.dll.vir
C:\WINDOWS\system32\tuvvvwv.dll.vir
C:\WINDOWS\system32\cahwmkay.dll
C:\WINDOWS\system32\sysmon32.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\gbgdotoh.exe
C:\WINDOWS\system32\LiveProtectSetup.exe
C:\bsgvjmep.exe
C:\wyjgsa.exe
C:\WINDOWS\system32\ypnytjr.dll

Folder::
C:\Program Files\LiveProtect
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7QaSQ
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\Temp\x2b

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0662f783-bec2-409d-bb3d-5e748376dab6}=-
{4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F}=-
{C50E426E-DEA9-DA20-DF0D-8CADDD9272E7}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LiveProtect"=-
"gbgdotoh.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Osrm"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmxw32]

Now drag then drop the ComboFix-Do.txt file onto ComboFix.exe as you see in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 mnyquist

mnyquist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Marquette, MI
  • Local time:11:03 AM

Posted 13 June 2007 - 11:04 PM

*My post was deleted, so here it is again.*

ComboFix log:
ComboFix 07-06-13.3 - C:\Documents and Settings\God\Desktop\ComboFix.exe
"God" - 2007-06-13 12:30:27 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\God\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bsgvjmep.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\gbgdotoh.exe
C:\Program Files\LiveProtect
C:\Program Files\LiveProtect\config.ini
C:\Program Files\LiveProtect\LiveProtect.exe
C:\Program Files\LiveProtect\SR.ini
C:\Program Files\LiveProtect\uninstall.exe
C:\Program Files\LiveProtect\VDB.DAT
C:\Program Files\LiveProtect\VDB2.DAT
C:\Program Files\LiveProtect\VDB3.DAT
C:\Program Files\LiveProtect\VDB4.DAT
C:\Program Files\LiveProtect\VDB5.DAT
C:\Temp\x2b
C:\Temp\x2b\tmpZTF.log
C:\WINDOWS\system32\cahwmkay.dll
C:\WINDOWS\system32\drvtop.dll
C:\WINDOWS\system32\LiveProtectSetup.exe
C:\WINDOWS\system32\ssqpp.dll.vir
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\amwr.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7QaSQ
C:\WINDOWS\system32\T7QaSQ\T7QaSQ1086.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\tuvvvwv.dll.vir
C:\WINDOWS\system32\ypnytjr.dll
C:\wyjgsa.exe


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 02:06 <DIR> d-------- C:\Program Files\directx
2007-06-13 00:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-12 23:45 <DIR> d-------- C:\!KillBox
2007-06-11 19:15 <DIR> d-------- C:\VundoFix Backups
2007-06-11 17:23 3,034 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-11 17:16 <DIR> d-------- C:\WINDOWS\pss
2007-06-11 16:15 2 --a------ C:\WINDOWS\system32\wapiisv.exe
2007-06-11 01:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-11 01:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-11 00:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-10 23:31 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Leadertech
2007-06-10 23:18 <DIR> d-------- C:\NeverwinterNights
2007-06-10 14:48 <DIR> d-------- C:\Temp
2007-06-10 14:45 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\WinRAR
2007-06-10 04:48 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-10 04:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-06-10 04:46 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-10 04:46 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-10 04:23 1,286 --a------ C:\WINDOWS\mozver.dat
2007-06-10 04:01 <DIR> d-------- C:\Program Files\Steam
2007-06-10 03:55 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-10 03:55 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\vlc
2007-06-10 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-10 03:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-10 00:49 <DIR> d-------- C:\Program Files\THQ
2007-06-10 00:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-10 00:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 00:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-09 23:15 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-09 22:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-09 19:57 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-06-09 19:55 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-06-09 19:55 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-06-09 19:55 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-06-09 19:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-09 19:55 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-09 19:55 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-06-09 19:55 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-09 19:55 <DIR> d-------- C:\Program Files\Ahead
2007-06-09 19:47 205,312 -ra------ C:\WINDOWS\patchw32.dll
2007-06-09 19:46 205,312 -ra------ C:\WINDOWS\pw32a.dll
2007-06-09 19:46 <DIR> d-------- C:\Program Files\SymNetDrv
2007-06-09 19:31 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-09 19:31 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-06-09 19:31 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-06-09 19:31 <DIR> d-------- C:\Program Files\Symantec
2007-06-09 19:31 <DIR> d-------- C:\Program Files\Norton SystemWorks
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Symantec
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-06-09 19:30 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-09 19:04 <DIR> d-------- C:\Program Files\Azureus
2007-06-09 18:42 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-09 18:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-09 18:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-09 18:39 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Azureus
2007-06-09 18:24 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\Apple Computer
2007-06-09 18:23 <DIR> d-------- C:\Program Files\QuickTime
2007-06-09 18:23 <DIR> d-------- C:\Program Files\iTunes
2007-06-09 18:23 <DIR> d-------- C:\Program Files\iPod
2007-06-09 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-09 18:17 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\uTorrent
2007-06-09 17:41 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-09 17:41 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-06-09 17:41 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-09 15:57 <DIR> d--hs---- C:\RECYCLER
2007-06-09 15:56 <DIR> d-------- C:\Program Files\AIM Lite
2007-06-09 15:56 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\LAIM
2007-06-09 15:56 <DIR> d-------- C:\DOCUME~1\God\APPLIC~1\acccore
2007-06-09 15:55 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 05:50:30 -------- d-----w C:\Program Files\Messenger
2007-06-11 03:22:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-28 22:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 22:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0662f783-bec2-409d-bb3d-5e748376dab6}=C:\WINDOWS\system32\ypnytjr.dll []
{4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F}=C:\WINDOWS\system32\geedc.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]
{C50E426E-DEA9-DA20-DF0D-8CADDD9272E7}=C:\WINDOWS\system32\cahwmkay.dll []
{EA3DE5F2-BEFE-4024-86F8-721C2A2076E4}=C:\WINDOWS\system32\mlljk.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 15:44 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 22:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 22:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"@"="" []
"Norton Ghost 9.0"="C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-11-22 17:20]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-09 19:46]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"laim"="C:\Program Files\AIM Lite\aimlite.exe" [2007-06-07 13:11]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc


Contents of the 'Scheduled Tasks' folder
2007-06-09 23:41:08 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - God.job
2007-06-09 23:32:19 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-06-13 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 12:31:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-13 12:31:19
C:\ComboFix-quarantined-files.txt ... 2007-06-13 12:31
C:\ComboFix2.txt ... 2007-06-13 00:16

--- E O F ---


New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:33:08 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\God\Desktop\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {0662f783-bec2-409d-bb3d-5e748376dab6} - C:\WINDOWS\system32\ypnytjr.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C50E426E-DEA9-DA20-DF0D-8CADDD9272E7} - C:\WINDOWS\system32\cahwmkay.dll (file missing)
O2 - BHO: (no name) - {EA3DE5F2-BEFE-4024-86F8-721C2A2076E4} - C:\WINDOWS\system32\mlljk.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 14 June 2007 - 03:20 AM

*My post was deleted, so here it is again.*

Sorry about that,the site had problems with the new server.

***************************

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\Documents and Settings\All Users\Application Data\gbgdotoh.exe

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

***************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit the program.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {0662f783-bec2-409d-bb3d-5e748376dab6} - C:\WINDOWS\system32\ypnytjr.dll (file missing)
O2 - BHO: (no name) - {4A6185BA-B0CB-499F-9BE1-E3C3ABD4A76F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {C50E426E-DEA9-DA20-DF0D-8CADDD9272E7} - C:\WINDOWS\system32\cahwmkay.dll (file missing)
O2 - BHO: (no name) - {EA3DE5F2-BEFE-4024-86F8-721C2A2076E4} - C:\WINDOWS\system32\mlljk.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Exit Hijackthis.

Now launch SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 mnyquist

mnyquist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Marquette, MI
  • Local time:11:03 AM

Posted 14 June 2007 - 01:02 PM

Super AntiSpyware Lg:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/14/2007 at 01:54 PM

Application Version : 3.8.1002

Core Rules Database Version : 3242
Trace Rules Database Version: 1253

Scan type : Complete Scan
Total Scan Time : 00:21:34

Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 5237
Registry threats detected : 9
File items scanned : 34878
File threats detected : 83

Adware.Tracking Cookie
C:\Documents and Settings\God\Cookies\god@serving-sys[1].txt
C:\Documents and Settings\God\Cookies\god@1071716676[1].txt
C:\Documents and Settings\God\Cookies\god@lynxtrack[1].txt
C:\Documents and Settings\God\Cookies\god@revsci[1].txt
C:\Documents and Settings\God\Cookies\god@e-2dj6wfligicjgap.stats.esomniture[1].txt
C:\Documents and Settings\God\Cookies\god@2o7[2].txt
C:\Documents and Settings\God\Cookies\god@bs.serving-sys[1].txt
C:\Documents and Settings\God\Cookies\god@ads.addynamix[3].txt
C:\Documents and Settings\God\Cookies\god@cpvfeed[2].txt
C:\Documents and Settings\God\Cookies\god@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\God\Cookies\god@hc2.humanclick[2].txt
C:\Documents and Settings\God\Cookies\god@mediaplex[1].txt
C:\Documents and Settings\God\Cookies\god@emarketmakers[2].txt
C:\Documents and Settings\God\Cookies\god@dynamicsitestats[1].txt
C:\Documents and Settings\God\Cookies\god@findwhat[1].txt
C:\Documents and Settings\God\Cookies\god@tacoda[1].txt
C:\Documents and Settings\God\Cookies\god@klik.klikadvertising[1].txt
C:\Documents and Settings\God\Cookies\god@tribalfusion[3].txt
C:\Documents and Settings\God\Cookies\god@atdmt[2].txt
C:\Documents and Settings\God\Cookies\god@bizrate[1].txt
C:\Documents and Settings\God\Cookies\god@ad.firstadsolution[2].txt
C:\Documents and Settings\God\Cookies\god@www.jackpotmadness[1].txt
C:\Documents and Settings\God\Cookies\god@h.starware[1].txt
C:\Documents and Settings\God\Cookies\god@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\God\Cookies\god@exitexchange[2].txt
C:\Documents and Settings\God\Cookies\god@count.exitexchange[2].txt
C:\Documents and Settings\God\Cookies\god@paypal.112.2o7[1].txt
C:\Documents and Settings\God\Cookies\god@cgi-bin[3].txt
C:\Documents and Settings\God\Cookies\god@mediatraffic[3].txt
C:\Documents and Settings\God\Cookies\god@buycom.122.2o7[1].txt
C:\Documents and Settings\God\Cookies\god@realmedia[1].txt
C:\Documents and Settings\God\Cookies\god@specificclick[2].txt
C:\Documents and Settings\God\Cookies\god@questionmarket[2].txt
C:\Documents and Settings\God\Cookies\god@84883897[2].txt
C:\Documents and Settings\God\Cookies\god@epilot[1].txt
C:\Documents and Settings\God\Cookies\god@1062204950[1].txt
C:\Documents and Settings\God\Cookies\god@expclicks[2].txt
C:\Documents and Settings\God\Cookies\god@electronicarts.112.2o7[1].txt
C:\Documents and Settings\God\Cookies\god@heavycom.122.2o7[1].txt
C:\Documents and Settings\God\Cookies\god@adserver[2].txt
C:\Documents and Settings\God\Cookies\god@pointandshop.112.2o7[1].txt
C:\Documents and Settings\God\Cookies\god@perf.overture[1].txt
C:\Documents and Settings\God\Cookies\god@1072725410[1].txt
C:\Documents and Settings\God\Cookies\god@pagead[1].txt
C:\Documents and Settings\God\Cookies\god@1072543070[1].txt
C:\Documents and Settings\God\Cookies\god@pro-market[1].txt
C:\Documents and Settings\God\Cookies\god@trafficmp[2].txt
C:\Documents and Settings\God\Cookies\god@edge.ru4[2].txt
C:\Documents and Settings\God\Cookies\god@adecn[1].txt
C:\Documents and Settings\God\Cookies\god@overture[3].txt
C:\Documents and Settings\God\Cookies\god@indiads[1].txt
C:\Documents and Settings\God\Cookies\god@e-2dj6wjliqhcjslo.stats.esomniture[2].txt
C:\Documents and Settings\God\Cookies\god@2o7[1].txt
C:\Documents and Settings\God\Cookies\god@ads.addynamix[2].txt
C:\Documents and Settings\God\Cookies\god@adserver[1].txt
C:\Documents and Settings\God\Cookies\god@azjmp[2].txt
C:\Documents and Settings\God\Cookies\god@doubleclick[1].txt
C:\Documents and Settings\God\Cookies\god@e-2dj6wfmygjdjahp.stats.esomniture[2].txt
C:\Documents and Settings\God\Cookies\god@e-2dj6wjlowpd5oeo.stats.esomniture[2].txt
C:\Documents and Settings\God\Cookies\god@lynxtrack[2].txt
C:\Documents and Settings\God\Cookies\god@mediatraffic[1].txt
C:\Documents and Settings\God\Cookies\god@overture[1].txt
C:\Documents and Settings\God\Cookies\god@tribalfusion[2].txt

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
C:\Documents and Settings\God\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\God\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\God\Start Menu\Programs\Outerinfo

Trojan.Downloader-FatB
C:\!KILLBOX\WINMXW32.DLL

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1162OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE.VIR
C:\WINDOWS\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF

Adware.ClickSpring-Variant
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\RACLE~1\MMC.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP27\A0006676.EXE

Trojan.Downloader-DRVSAM
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRVTOP.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP29\A0007820.DLL

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\T3\AM67.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP27\A0006678.EXE

Trojan.Downloader-Gen/Inst2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\T6\AMWR.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP25\A0003727.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP29\A0007819.EXE

Trojan.Downloader-SpyTool
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP26\A0004247.DLL

Trojan.Downloader-SVCHost/Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP26\A0004333.EXE

Trojan.Rootkit-TnCore/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{56D04FC9-7CCA-472A-A780-94874F3E638A}\RP27\A0006677.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WAPIISV.EXE



new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 2:01:40 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\God\Desktop\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-----



My computer is running superbly now, all thanks to you guys!

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 14 June 2007 - 03:12 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
KillBox
VundoFix.exe
Combofix
SmitfraudFix

C:\VundoFix Backups
C:\!KillBox
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 mnyquist

mnyquist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Marquette, MI
  • Local time:11:03 AM

Posted 14 June 2007 - 05:31 PM

Will do. Thank you so much!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 14 June 2007 - 06:26 PM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users