Help with HiJack This. Trojan Galore!

Homicide · October 2006

Logfile of HijackThis v1.99.1
Scan saved at 2:05:43 AM, on 10/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Homicide\Desktop\Virus Protectors\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neoseeker.com/forums/index.php?fn=browse_forum&f=118
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neoseeker.com/forums/index.php?fn=browse_forum&f=118
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\PornMag Pass\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VirusBurster] C:\Program Files\VirusBurster\virusburster.exe /h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: hydrodictyon - {b166be07-30a4-4d38-b781-44528a630706} - C:\WINDOWS\System32\gqagksr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Please help me out.....sadly this is my third time trying to get help. Maybe I should learn how to fix my own computer and help other people out too.....hmmmm

rpggamergirl · October 2006

Hi,
What's showing in your logfile is a smitfraud infection!

Let's get the smitfraudfix log first to check if it also detects rootkit.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Homicide · October 2006

SmitFraudFix v2.61

Scan done at 10:43:51.75, Tue 10/03/2006
Run from C:\Documents and Settings\Homicide\Desktop\Virus Protectors\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Homicide\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Homicide\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b166be07-30a4-4d38-b781-44528a630706}"="hydrodictyon"

[HKEY_CLASSES_ROOT\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

thanks for the help you Rock :Rocker:

Homicide · October 2006

so.....what do I do now? Delete them?

rpggamergirl · October 2006

Homicide,
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

rpckgod1308,
Can you please make a New Topic? I will help you in your own topic.
Just follow what homicide did which is Smitfraudfix option 1.

You also have purityscan.
Please go to your Add/Remove programs and uninstall any apps by OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.

Homicide · October 2006

SmitFraudFix v2.61

Scan done at 11:39:48.31, Fri 10/06/2006
Run from C:\Documents and Settings\Homicide\Desktop\Virus Protectors\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b166be07-30a4-4d38-b781-44528a630706}"="hydrodictyon"

[HKEY_CLASSES_ROOT\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b166be07-30a4-4d38-b781-44528a630706}"="hydrodictyon"

[HKEY_CLASSES_ROOT\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b166be07-30a4-4d38-b781-44528a630706}\InProcServer32]
@="C:\WINDOWS\System32\gqagksr.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

Well I still have massive problems. I get this message that says "Critical System Error" and displays a message saying basically that my computer is infected and it downloaded a virus buster program automatically. Well let me know whats next.

rpggamergirl · October 2006

I don't understand why smitfraudfix failed on this case?
You did run it in safe mode and it was Option 2 right? This is the very first time that smitfraudfix failed on me.

Option 2 in safe mode was the fix, and not option 1.
So I take it that it was option 2 and in safe mode and it failed.

Try smitrem.
Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================

O4 - HKLM\..\Run: [VirusBurster] C:\Program Files\VirusBurster\virusburster.exe /h
O21 - SSODL: hydrodictyon - {b166be07-30a4-4d38-b781-44528a630706} - C:\WINDOWS\System32\gqagksr.dll

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Homicide · October 2006

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Homicide\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\MyGlobalSearch
Virus:Trj/PayClicker.EC Not disinfected C:\!KillBox\Eim03.exe[²íÇ]
Adware:Adware/DigInk Not disinfected C:\!KillBox\Setup90.exe
Spyware:Spyware/7r7t Not disinfected C:\!KillBox\srvefkmvml.exe
Adware:Adware/DigInk Not disinfected C:\!KillBox\srvfspvpxq.exe
Spyware:Spyware/7r7t Not disinfected C:\!KillBox\srvgwedegf.exe
Adware:Adware/DigInk Not disinfected C:\!KillBox\sys031590963208.exe
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies-1.txt[.belnk.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/VirusBurst Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt[www.virusburst.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Homicide\Cookies\homicide@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Homicide\Cookies\homicide@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Homicide\Cookies\homicide@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Homicide\Cookies\homicide@dist.belnk[2].txt
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\Homicide\Cookies\homicide@mbop[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Desktop\smitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Desktop\smitRem.exe[smitRem/Process.exe]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Homicide\Desktop\Virus Protectors\kill2me.zip[Kill2Me.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Desktop\Virus Protectors\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Desktop\Virus Protectors\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Desktop\Virus Protectors\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Homicide\Local Settings\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Potentially unwanted tool:Application/VirusBurst Not disinfected C:\Program Files\VirusBurster\uninst.exe
Potentially unwanted tool:Application/VirusBurst Not disinfected C:\Program Files\VirusBurster\VirusBurster.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SG9taWNpZGU\m36QuqhDt3o.vbs
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

_____________________________

ewido anti-malware - Scan report

+ Created on: 2:26:40 PM, 10/7/2006
+ Report-Checksum: E0CA60B8

+ Scan result:

:mozilla.24:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Homicide\Application Data\Mozilla\Firefox\Profiles\2oxgcyo9.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup

::Report End

_______________________________

Logfile of HijackThis v1.99.1
Scan saved at 7:04:43 PM, on 10/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Homicide\Desktop\Virus Protectors\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

_________________________

smitRem © log file
version 3.2

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sat 10/07/2006
The current time is: 12:31:34.84

Running from
C:\Documents and Settings\Homicide\Desktop\smitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b166be07-30a4-4d38-b781-44528a630706}"="hydrodictyon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

checking for drsmartload2 key

drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

gqagksr.dll
amcompat.tlb
nscompat.tlb

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 700 'explorer.exe'
Killing PID 700 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

_________________________

I hope this is everything you wanted.

rpggamergirl · October 2006

How's the pc going?

I don't see any malware i your hijackthis log.

Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Homicide · October 2006

Hey sorry it took so long. My computer restarted and then it just kind of stopped working. I lost all my book marks and my internet wouldnt work for more than 35 minutes at a time. It still is being stupid like that and now when my computer restarts it says that it was restarted wrong or something and said that the settings were erased and I need to re-configure them by pressing F8 or I can continue working by pressing F1, but it wont do anything if I press F8 so im stuck with F1. Anyway here is that log you were asking for.

Homicide - 06-10-15 10:47:56.95 Service Pack 1
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\Homicide\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\misc002
C:\WINDOWS\system32\crunner

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))

2006-08-31 12:30 146 --a

C:\WINDOWS\file.bat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-31 23:33

d

C:\Program Files\Java
2006-08-31 23:27

d

C:\Program Files\Common Files\Java
2006-08-31 13:04

d

C:\Program Files\Yahoo!
2006-08-31 13:01

d--h

C:\Program Files\WindowsUpdate
2006-08-31 12:14

d

C:\Program Files\illiminable
2006-08-14 12:43 36528

C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-08-14 12:43 115880

C:\WINDOWS\system32\pxinsi64.exe
2006-08-14 12:43 114856

C:\WINDOWS\system32\pxcpyi64.exe
2006-08-06 21:39 338 --a

C:\Documents and Settings\Homicide\Application Data\internaldb1942.dat
2006-08-02 17:40

d

C:\Program Files\Sierra On-Line
2006-08-02 13:24

d

C:\Program Files\Symantec
2006-08-02 13:22 13046 --a

C:\Documents and Settings\Homicide\Application Data\internaldb5436.dat
2006-08-02 13:22 122880 --a

C:\Documents and Settings\Homicide\Application Data\internaldb4827.dat
2006-08-02 13:22 0 --a

C:\Documents and Settings\Homicide\Application Data\internaldb4604.dat
2006-07-17 15:09 0 --a

C:\Documents and Settings\Homicide\Application Data\internaldb153.dat
2006-07-07 21:22

d

C:\Documents and Settings\Homicide\Application Data\Real
2006-07-07 21:00

d

C:\Program Files\Common Files\xing shared
2006-07-07 20:59

d

C:\Program Files\Common Files\Real
2006-07-07 20:54

d

C:\Program Files\Real
2006-06-28 21:17 43520 --a

C:\WINDOWS\system32\CmdLineExt03.dll
2006-06-28 21:15 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-06-28 21:15 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-06-28 21:15 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-06-28 04:15 23 --a

C:\Documents and Settings\Homicide\Application Data\inifile41.ini
2006-06-28 04:15 0 --a

C:\Documents and Settings\Homicide\Application Data\internaldb3902.dat
2006-06-28 04:15 0 --a

C:\Documents and Settings\Homicide\Application Data\internaldb2391.dat
2006-06-28 04:15 0 --a

C:\Documents and Settings\Homicide\Application Data\internaldb1538.dat
2006-06-22 15:24 857 --a

C:\Documents and Settings\Homicide\Application Data\AdobeDLM.log
2006-06-22 15:24 0 --a

C:\Documents and Settings\Homicide\Application Data\dm.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"VTTimer"="VTTimer.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\actx1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\themonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\XoftSpy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="XoftSpy"
"hkey"="HKLM"
"command"="C:\\Program Files\\XoftSpy\\XoftSpy.exe -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 10/15/2006 10:49:02.76
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Should I just put in my restore disk and let it restore my settings or something or does that not work in this instance.

rpggamergirl · October 2006

Hi,
Sorry I wasn't be able to come here either.

What Panda and Ewido found were files that were either already in quarantine or cookies and also files belonging smitfraud.

Adware:Adware/CommAd Not disinfected C:\WINDOWS\SG9taWNpZGU\m36QuqhDt3o.vbs

C:\WINDOWS\SG9taWNpZGU <-- delete this folder.

You could try rolling back if you have system restore points still, rolling back as to a date before you were infected. You would have to install any programs or drivers that you installed after that chosen restore point.

Or you could try and run more scanners:
1. Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

2. Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the check for updates button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.

3. Download (Download the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Help with HiJack This. Trojan Galore!

Comments