BIG Problem[duplicate]

Unknown
edited January 2007 in Spyware & Virus Removal
Hi, I am new here and hope someone can help me . . . A few nights ago when I got on my computer, I went to IE and up popped http:c:///secure32.html in my address bar. My IE stopped working and another screen popped up saying that spyware was detected, and warning, warning, warning! I ran all the the Ad-Aware and virus programs, but I was not able to run the hijack program....my computer wouldn't let it download. A message pops up and says missing http 404-file not found. The warning screens are still popping up and everytime I go to IE, the address bar will automatically go to secure32.html......I tried to go to internet options and I really don't think it did any good, but I am not an expert at this and I need some help. I follow directions good, so if anyone can please help my computer, I would appreciate it!!

Thanks for any help you can give

Log file
BitDefender Online Scanner - Real Time Virus Report



Generated at: Mon, Jan 01, 2007 - 22:37:35






Scan Info



Scanned Files
365261

Infected Files
41








Virus Detected



Trojan.Agent.ACL
1

Generic.Malware.Sdld!.3A1F1FCC
6

Trojan.Clicker.Js.Linker.H
1

Dropped:Generic.Malware.Sdld.CE615A98
8

Trojan.Dropper.Small.AUC
3

DeepScan:Generic.Malware.Ssp!.9E60ADE1
1

Trojan.Spy.Sheriff.C
8

Trojan.Klone.H
1

DeepScan:Generic.Malware.SM!HYd@mmignprng.0D71A98C
2

Trojan.Spy.Goldun.CK
3

BehavesLike:Trojan.Downloader
3

Trojan.Dropper.Proxy.Wopla.B
1

Trojan.Downloader.BKK
3
«1

Comments

  • fish04
    edited January 2007
    Hi, I am new here and hope someone can help me . . . A few nights ago when I got on my computer, I went to IE and up popped http:c:///secure32.html in my address bar. My IE stopped working and another screen popped up saying that spyware was detected, and warning, warning, warning! I ran all the the Ad-Aware and virus programs, but I was not able to run the hijack program....my computer wouldn't let it download. A message pops up and says missing http 404-file not found. The warning screens are still popping up and everytime I go to IE, the address bar will automatically go to secure32.html......I tried to go to internet options and I really don't think it did any good, but I am not an expert at this and I need some help. I follow directions good, so if anyone can please help my computer, I would appreciate it!!

    Thanks for any help you can give

    Log file
    BitDefender Online Scanner - Real Time Virus Report



    Generated at: Mon, Jan 01, 2007 - 22:37:35






    Scan Info



    Scanned Files
    365261

    Infected Files
    41








    Virus Detected



    Trojan.Agent.ACL
    1

    Generic.Malware.Sdld!.3A1F1FCC
    6

    Trojan.Clicker.Js.Linker.H
    1

    Dropped:Generic.Malware.Sdld.CE615A98
    8

    Trojan.Dropper.Small.AUC
    3

    DeepScan:Generic.Malware.Ssp!.9E60ADE1
    1

    Trojan.Spy.Sheriff.C
    8

    Trojan.Klone.H
    1

    DeepScan:Generic.Malware.SM!HYd@mmignprng.0D71A98C
    2

    Trojan.Spy.Goldun.CK
    3

    BehavesLike:Trojan.Downloader
    3

    Trojan.Dropper.Proxy.Wopla.B
    1

    Trojan.Downloader.BKK
    3
  • PterocarpousPterocarpous Rosie the Riveter Lives On in CA, USA! New
    edited January 2007
    Your system is indeed infected. But you knew that already, right? :wink:

    I see you do have I'net access albiet compromised. That's a good thing.

    The likely reason you cannot download HijackThis is because your "HOST" file has been modified by spyware. It's blocking known sites where HijackThis and other anti-malware software can be downloaded from.

    Do you have access to another computer? If so, please, download HJT ( http://www.tomcoyote.org/hjt/) onto the system that is (hopefully) not infected.

    While you are at it, download ATF-Cleaner by Atribune ( http://www.atribune.org/ccount/click.php?id=1 ) to your desktop as well. Burn both these files to CD and scooch over to the sick computer w/ the CD. Copy the files onto the desktop of the sick computer.

    Now, reboot the computer into SAFE MODE. (Restart the computer as you normally would. Hit the F8 key while it is restarting. Choose SAFE MODE WITHOUT NETWORKING at the boot menu.)
    Credit where credit is due!....The following instructions are excerpts of a post provided by Rahina Rescue at this thread http://www.short-media.com/forum/showthread.php?t=53103 (Rahina Rescue is one of our experts specializing in Malware removal.) Please, read and follow these instructions (as Rahina Rescue is busy stamping out malware fires)

    Run ATF Cleaner. Click on MAIN and Choose SELECT ALL
    Click the EMPTY SELECTED button.

    If you use Mozilla Firefox browser, click FIREFOX at the top and choose: SELECT ALL

    Click the EMPTY SELECTED button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser Click OPERA at the top and choose: SELECT ALL
    Click the EMPTY SELECTED button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click EXIT on the MAIN menu to close the program.

    Now, reboot to NORMAL MODE



    See if you can navigate to this site for an online AV scan.
    http://www.kaspersky.com/downloads/kws/kavwebscan.html

    When you are prompted to install an ActiveX component from Kaspersky, Click YES.

    The program will launch and then begin downloading the latest definition files
    When the files finish downloading click on NEXT
    Now click on SCAN SETTINGS
    In SCAN SETTING, make sure that the following are selected:
    Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)

    Scan Options:
    Scan Archives
    Scan Mail Bases

    Click OK

    Now under select a target to scan:
    Select MY COMPUTER
    This program will start and scan your system.
    Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
    When the scan has completed, it will display whether your system has been infected or not.
    Click on the SAVE AS TEXT button:
    Save the file to your desktop or another folder where you can locate it later.
    Attach this file to your next message.

    Please Post your HJT Log & your Kaspersky Report here.
  • fish04
    edited January 2007
    I think I can on my laptop at work tomorrow. So after I do that, then just post that file log?
  • PterocarpousPterocarpous Rosie the Riveter Lives On in CA, USA! New
    edited January 2007
    fish04 wrote:
    I think I can on my laptop at work tomorrow. So after I do that, then just post that file log?

    Right. Both log files, please.

    Please, download the following programs and burn them to CD:

    Lavasoft Adaware Personal Edition (freeware)
    http://www.lavasoft.de/products/ad-aware_se_personal.php

    Spybot Search & Destroy (freeware)
    http://www.safer-networking.org/en/download/index.html

    BHO Demon (freeware)
    http://www.majorgeeks.com/download3550.html

    HijackThis (freeware)
    http://www.tomcoyote.org/hjt/

    ATF-Cleaner by Atribune (freeware)
    http://www.atribune.org/ccount/click.php?id=1

    Comodo Firewall & Comodo Antivirus (freeware)
    http://www.comodogroup.com/

    ---

    For a more robust Antivirus than freeware AV software:
    NOD32 Antivirus ($39.00/year)
    http://www.eset.com/
  • TroganTrogan London, UK
    edited January 2007
    Hi fish04! :)

    Download HijackThis from another link...

    Click here to download HJTsetup.exe. Save it to your Desktop!
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    • Copy and paste the log here
    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

    I need to see another log from HijackThis.
    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.

    Please post the requested logs back here. :)
  • TroganTrogan London, UK
    edited January 2007
    fish04, for future reference, please DO NOT start multiple threads. I have merged the two threads you created together.

    Once you post the logs requested above, I will start to help you.
  • fish04
    edited January 2007
    I downloaded all to my desktop and ran everything except the Kapersky (It still would not let me run it. Here is a copy of the hijack log:

    HIJack LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 9:42:04 PM, on 1/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRserv.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
    C:\Program Files\Lexmark 2400 Series\ezprint.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\lxcrcoms.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.charter.com/welcome/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 205.238.40.51 www.winmx.com err.winmx.com
    O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
    O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
    O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
    O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
    O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
    O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
    O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
    O4 - HKLM\..\Run: [LXCRCATS] rundll32 \3\LXCRtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167712780578
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167552923015
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe
    O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



    I also tried several times to save the file uninstall programs from hijack, but eveytime I clicked on save file, the program would just quit.

    Sorry for the multiple threads....I have never done this before and was trying to edit mine, guess I messed it up...sorry.
  • danball1976danball1976 Wichita Falls, TX
    edited January 2007
    Go ahead and delete the entries marked as (file missing).

    Also, delete all of the lines with winmx in them, and the secure32.html as well. (the little checkbox next to the entries in HiJackThis deletes them once you click "Fix Checked")
  • fish04
    edited January 2007
    okay I checked and deleted all requested files. restarted computer and went to IE...it did not go to the secure32 thing, yay! thank you so much !! What next?

    I did get an error message on start up:
    [ RUNDLL error loading \3\LXCRtime.dll Specified module could not be found ]
  • danball1976danball1976 Wichita Falls, TX
    edited January 2007
    Ok, if it isn't found, go ahead and delete the entry:
    O4 - HKLM\..\Run: [LXCRCATS] rundll32 \3\LXCRtime.dll,_RunDLLEntry@16
  • fish04
    edited January 2007
    okay, I deleted it and here it the new log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:55:22 PM, on 1/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRserv.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
    C:\Program Files\Lexmark 2400 Series\ezprint.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\lxcrcoms.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.charter.com/welcome/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167712780578
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167552923015
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe
    O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



    Still getting the pop ups about "your computer may be infected, click here to download...."
  • danball1976danball1976 Wichita Falls, TX
    edited January 2007
    I'm not sure what this is for:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

    This you can probably delete
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

    By the way, there is a new version of Acrobat Reader, ver. 8 and Java is now on version 6.
    Download Java 6: http://java.sun.com/javase/downloads/index.jsp

    Make sure you uninstall your old Java 5 update 10 before installing Java 6. For some reason they don't uninstall the old version before installing the new one.

    Are you getting those popups at websites, or when IE is closed. Everyone gets those annoying popup ads at lots of websites. They are intended to scar you.
  • fish04
    edited January 2007
    Should I delete that first one youre not sure about also?
  • danball1976danball1976 Wichita Falls, TX
    edited January 2007
    I don't know. Better wait for prectorperus to come in and tell you. I was only telling you the obvious ones.
  • TroganTrogan London, UK
    edited January 2007
    Dan, removing entries with "File Missing" is wrong. HijackThis has a bug that shows this. "File Missing" is only true for O2 and O3 entries.

    Fish04, please do the following...

    I need to see another log from HijackThis.
    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.
    ________________________

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    IMPORTANT: Do NOT run any other options until you are asked to do so!
    ________________________

    Please post the following...
    1. Uninstall list
    2. Contents of C:\rapport.txt
  • danball1976danball1976 Wichita Falls, TX
    edited January 2007
    I ran smithfraudfix on my computer, it only took 10 seconds and I guess nothing bad was found.
  • fish04
    edited January 2007
    Here is rapport:
    SmitFraudFix v2.132

    Scan done at 0:11:49.96, Thu 01/04/2007
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

    pe386 detected, use a Rootkit scanner

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Will be right back, going to try to run the other one from Hijack...it wouldn't run before.
  • fish04
    edited January 2007
    Hijack will not let me save the list. I can do everything except when I click save list, the program just disappears and I have to go back into it. Any way around that?
  • TroganTrogan London, UK
    edited January 2007
    We need to tackle another infection first

    Please do the following...

    1. Locate HijackThis here...
    C:\Program Files\Hijackthis\HijackThis.exe
    ...Right-click and select Rename. Change the name to Scanner.exe

    2. Download RustBFix from one of the following locations...

    http://www.uploads.ejvindh.net/rustbfix.exe

    http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

    ...and save it to your desktop.

    Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log in your next reply

    3. We need to scan a file:
    • Go to VirusTotal
    • Copy and paste the following file path into the Search Box at the top of the page:
        C:\WINDOWS\TaskMgr.exe
      [*]Click on the Send button
      [*]Save a copy of the results and post them in your next reply.
      4. Please post the following...

      1) RustBFix logs
      2) Scan report
      3) New HijackThis (Scanner) log
    • fish04
      edited January 2007
      scan report as follows:
      Antivirus Version Update Result
      AntiVir 7.3.0.21 01.04.2007 no virus found
      Authentium 4.93.8 12.30.2006 no virus found
      Avast 4.7.892.0 12.30.2006 no virus found
      AVG 386 01.04.2007 no virus found
      BitDefender 7.2 01.05.2007 no virus found
      CAT-QuickHeal 8.00 01.03.2007 no virus found
      ClamAV devel-20060426 01.05.2007 no virus found
      DrWeb 4.33 01.04.2007 no virus found
      eSafe 7.0.14.0 01.04.2007 no virus found
      eTrust-InoculateIT 23.73.105 01.05.2007 no virus found
      eTrust-Vet 30.3.3303 01.05.2007 no virus found
      Ewido 4.0 01.04.2007 no virus found
      Fortinet 2.82.0.0 01.04.2007 no virus found
      F-Prot 3.16f 01.04.2007 no virus found
      F-Prot4 4.2.1.29 01.03.2007 no virus found
      Ikarus T3.1.0.27 01.04.2007 no virus found
      Kaspersky 4.0.2.24 01.05.2007 no virus found
      McAfee 4932 01.04.2007 no virus found
      Microsoft 1.1904 01.04.2007 no virus found
      NOD32v2 1957 01.04.2007 no virus found
      Norman 5.80.02 12.31.2007 no virus found
      Panda 9.0.0.4 01.04.2007 no virus found
      Prevx1 V2 01.05.2007 no virus found
      Sophos 4.13.0 01.04.2007 no virus found
      Sunbelt 2.2.907.0 12.18.2006 no virus found
      TheHacker 6.0.3.142 01.04.2007 no virus found
      UNA 1.83 01.04.2007 no virus found
      VBA32 3.11.1 01.04.2007 no virus found

      Rust 8 Fix Log:
      Logfile of The Avenger version 1, by Swandog46
      Running from registry key:
      \Registry\Machine\System\CurrentControlSet\Services\djldsobl

      *******************


      Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

      Could not open script file! Status: 0xc0000034 Abort!

      Hijack would not run when I renamed it scanner.exe (I must be doing something wrong there), so I changed it back to Hijack and ran it. Here's the log:
      Logfile of HijackThis v1.99.1
      Scan saved at 8:03:18 PM, on 1/4/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.5730.0011)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Ahead\InCD\InCDsrv.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      C:\Program Files\Alwil Software\Avast4\ashServ.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRserv.exe
      C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\Program Files\Support.com\bin\tgcmd.exe
      C:\WINDOWS\BCMSMMSG.exe
      C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
      C:\Program Files\Ahead\InCD\InCD.exe
      C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
      C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
      C:\Program Files\Lexmark 2400 Series\ezprint.exe
      C:\Program Files\Java\jre1.6.0\bin\jusched.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
      C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
      C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
      C:\Program Files\WinZip\WZQKPICK.EXE
      C:\Program Files\iPod\bin\iPodService.exe
      C:\WINDOWS\system32\lxcrcoms.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.charter.com/welcome/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
      O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
      O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
      O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
      O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
      O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
      O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
      O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
      O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\orxpcvap.dll",setvm
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
      O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
      O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
      O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
      O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
      O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167712780578
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167552923015
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
      O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
      O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
      O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
      O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
      O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
      O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
      O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe
      O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
      O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
      O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


      Thanks again for your help! I do appreciate it.
    • fish04
      edited January 2007
      Tried to run the Rust 8 again, here is what came up:
      ************************* Rustock.b-fix -- By ejvindh *************************
      Thu 01/04/2007 20:12:45.31

      Rustock.b-driver on the system: NONE!

      Rustock.b-ADS attached to the System32-folder:
      :lzx32.sys 69550
      Total size: 69550 bytes.
      Attempting to remove ADS...
      system32: deleted 69550 bytes in 1 streams.

      Looking for Rustock.b-files in the System32-folder:
      system32\lzx32.sys FOUND!
      attempting to delete lzx32.sys from system32-folder


      ******************* Post-run Status of system *******************

      Rustock.b-driver on the system: NONE!

      Rustock.b-ADS attached to the System32-folder:
      No System32-ADS found.

      Looking for Rustock.b-files in the System32-folder:
      No Rustock.b-files found in system32


      ******************************* End of Logfile ********************************
    • TroganTrogan London, UK
      edited January 2007
      Thanks for the logs. Since HijackThis won't rename, lets try this:

      Please download VundoFix.exe to your desktop.
      • Double-click VundoFix.exe to run it.
      • Click the Scan for Vundo button.
      • Once it's done scanning, click the Remove Vundo button.
      • You will receive a prompt asking if you want to remove the files, click YES
      • Once you click yes, your desktop will go blank as it starts removing Vundo.
      • When completed, it will prompt that it will reboot your computer, click OK.
      • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
      Note: It is possible that VundoFix encountered a file it could not remove.
      In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
    • fish04
      edited January 2007
      Vundo Log:
      VundoFix V6.2.13

      Checking Java version...

      Java version is 1.5.0.6

      Java version is 1.5.0.7

      Scan started at 10:42:28 PM 1/5/2007

      Listing files found while scanning....

      C:\WINDOWS\system32\winrkp32.dll
      C:\WINDOWS\system32\pmnll.dll
      C:\WINDOWS\system32\pmnll.dll
      C:\WINDOWS\system32\pmnll.dll
      C:\WINDOWS\system32\llnmp.ini
      C:\WINDOWS\system32\llnmp.bak1
      C:\WINDOWS\system32\llnmp.bak2
      C:\WINDOWS\system32\llnmp.ini2
      C:\WINDOWS\system32\llnmp.tmp
      C:\WINDOWS\system32\llnmp.ini
      C:\WINDOWS\system32\llnmp.bak1
      C:\WINDOWS\system32\llnmp.bak2
      C:\WINDOWS\system32\llnmp.ini2
      C:\WINDOWS\system32\llnmp.tmp
      C:\WINDOWS\system32\llnmp.ini
      C:\WINDOWS\system32\llnmp.bak1
      C:\WINDOWS\system32\llnmp.bak2
      C:\WINDOWS\system32\llnmp.ini2
      C:\WINDOWS\system32\llnmp.tmp

      Beginning removal...

      Attempting to delete C:\WINDOWS\system32\winrkp32.dll
      C:\WINDOWS\system32\winrkp32.dll Has been deleted!

      Attempting to delete C:\WINDOWS\system32\pmnll.dll
      C:\WINDOWS\system32\pmnll.dll Has been deleted!

      Attempting to delete C:\WINDOWS\system32\llnmp.ini
      C:\WINDOWS\system32\llnmp.ini Has been deleted!

      Attempting to delete C:\WINDOWS\system32\llnmp.bak1
      C:\WINDOWS\system32\llnmp.bak1 Has been deleted!

      Attempting to delete C:\WINDOWS\system32\llnmp.bak2
      C:\WINDOWS\system32\llnmp.bak2 Has been deleted!

      Attempting to delete C:\WINDOWS\system32\llnmp.ini2
      C:\WINDOWS\system32\llnmp.ini2 Has been deleted!

      Attempting to delete C:\WINDOWS\system32\llnmp.tmp
      C:\WINDOWS\system32\llnmp.tmp Has been deleted!

      Performing Repairs to the registry.
      Done!


      Hijackthis log:
      Logfile of HijackThis v1.99.1
      Scan saved at 10:53:12 PM, on 1/5/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.5730.0011)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Ahead\InCD\InCDsrv.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      C:\Program Files\Alwil Software\Avast4\ashServ.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
      C:\WINDOWS\csrss.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\Program Files\Support.com\bin\tgcmd.exe
      C:\WINDOWS\BCMSMMSG.exe
      C:\Program Files\Ahead\InCD\InCD.exe
      C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
      C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
      C:\Program Files\Lexmark 2400 Series\ezprint.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Java\jre1.6.0\bin\jusched.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
      C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
      C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
      C:\Program Files\WinZip\WZQKPICK.EXE
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\WINDOWS\system32\lxcrcoms.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.charter.com/welcome/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\iiyhdxbr.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
      O2 - BHO: (no name) - {AEC3AEB5-57E2-4020-8625-0E273149322A} - C:\WINDOWS\system32\pmnll.dll (file missing)
      O2 - BHO: (no name) - {E672B410-3580-435F-AD90-63D158E2F29C} - C:\WINDOWS\system32\urqonmn.dll
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
      O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
      O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
      O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
      O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
      O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
      O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
      O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
      O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\orxpcvap.dll",setvm
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
      O4 - HKCU\..\Run: [TaskManager] C:\WINDOWS\TaskMgr.exe
      O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
      O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
      O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
      O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167712780578
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167552923015
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
      O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
      O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
      O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
      O20 - Winlogon Notify: urqonmn - C:\WINDOWS\SYSTEM32\urqonmn.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
      O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
      O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
      O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
      O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
      O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
      O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
      O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    • TroganTrogan London, UK
      edited January 2007
      Your HijackThis log is showing a file that I do not like the look of, but I'd like to get it scanned.

      1.
      • Go to VirusTotal
      • Copy and paste the following file path into the Search Box at the top of the page:
      • C:\WINDOWS\csrss.exe
      • Click on the Send button
      • Please post the results in your next reply.
      2. Locate this file...
      C:\WINDOWS\TaskMgr.exe
      ...Right-click and Select Properties. Go to the Version tab (if there is one) and tell me who the company is.


      Please post the info for 1 and 2 back here.
    • fish04
      edited January 2007
      Company is Microsoft Corporation

      I followed instructions for VirusTotal and clicked scan, but I did not receive any results, am I missing a step?
    • TroganTrogan London, UK
      edited January 2007
      Strange...I don't think you missed a step:

      Could you scan that file here
      http://virusscan.jotti.org/

      Thanks!
    • fish04
      edited January 2007
      You are great! Here are the results:
      Scan taken on 06 Jan 2007 22:34:29 (GMT)
      AntiVir Found HEUR/Malware
      ArcaVir Found nothing
      Avast Found nothing
      AVG Antivirus Found nothing
      BitDefender Found nothing
      ClamAV Found nothing
      Dr.Web Found nothing
      F-Prot Antivirus Found unknown virus (probable variant)
      F-Secure Anti-Virus Found nothing
      Fortinet Found nothing
      Kaspersky Anti-Virus Found nothing
      NOD32 Found probably a variant of Win32/PSW.LdPinch.BIE (probable variant)
      Norman Virus Control Found nothing
      VirusBuster Found nothing
      VBA32 Found MalwareScope.Trojan-PSW.Pinch.1
    • TroganTrogan London, UK
      edited January 2007
      Thanks for the results.

      Please do the following...

      1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
      This program is for XP and Windows 2000 only!

      Double-click ATF Cleaner.exe to open it.

      Under Main select the following:
        Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache        *The other boxes are optional*
        Then click the Empty Selected button.

        Click Exit on the Main menu to close the program.

        2. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

        Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
        http://www.ewido.net/en/download/
        • Install AVG Anti-Spyware by double clicking the installer.
        • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
        • On the main screen under Your Computer's security.
          • Click on Change state next to Resident shield. It should now change to inactive.
          • Click on Change state next to Automatic updates. It should now change to inactive.
          • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
          • Wait until you see the Update succesfull message.
        • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
        • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
        If you are having problems with the updater, you can use this link to manually update ewido.
        AVG Anti-Spyware manual updates.
        Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

        Reboot your computer in Safe Mode.
        • If the computer is running, shut down Windows, and then turn off the power.
        • Wait 30 seconds, and then turn the computer on.
        • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
        • Ensure that the Safe Mode option is selected.
        • Press Enter. The computer then begins to start in Safe mode.
        • Login on your usual account.
        3. Make sure you can view hidden files and folders:
        • Click Start.
        • Open My Computer.
        • Select the Tools menu and click Folder Options.
        • Select the View Tab.
        • Under the Hidden files and folders heading select Show hidden files and folders.
        • Uncheck the Hide protected operating system files (recommended) option.
        • Click Yes to confirm.
        • Click OK.
        4. Find and delete the following File:

        C:\WINDOWS\csrss.exe <-- This file

        5. Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
        • Click on Scanner on the toolbar.
        • Click on the Settings tab.
          • Under How to act?
            • Click on Recommended Action and choose Quarantine from the popup menu.
          • Under How to scan?
            • All checkboxes should be ticked.
          • Under Possibly unwanted software:
            • All checkboxes should be ticked.
          • Under Reports:
            • Select Automatically generate report after every scan and uncheck Only if threats were found.
          • Under What to scan?
            • Select Scan every file.
        • Click on the Scan tab.
        • Click on Complete System Scan to start the scan process.
        • Let the program scan the machine.
        • When the scan has finished, follow the instructions below.
          IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
          • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
          • At the bottom of the window click on the Apply all Actions button. (3)
            scanavgjk2.jpg
        • When done, click the Save Scan Report button. (4)
          • Click the Save Report as button.
          • Save the report to your Desktop.
        • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes
        . Reboot back into Normal Mode

        6. Download this file to your Desktop - combofix.exe
        Double click combofix.exe & follow the prompts.
        When finished, it shall produce a log for you. Post that log in your next reply

        Note:
        Do not mouseclick combofix's window whilst it's running. That may cause it to stall

        7. Please post the following...

        1) AVG anti-spyware log
        2) ComboFix log
        3) New HijackThis log
      • fish04
        edited January 2007
        I have done everything, but now I can't get IE to come up (posting now from laptop..) When I click on IE it says: "iexplore.exe - Unable to locate component...This application has failed to start because msvcrl.dll was not found. Re-installing the application may fix this problem" ....

        I tried to reinstall Office 2000 (I don't have the Office 2003 with me tonight), but IE would still not start and the same message came up again. So, I can't get on the internet from that computer.... I can save the file logs on my jump drive and load them from my laptop if you think that would work...?
      • TroganTrogan London, UK
        edited January 2007
        That is not a good sign! :(

        If you could post the logs from another computer, that would be good.
      This discussion has been closed.