Spyware Help

Bigboi8899 · July 2007

Hello, Just recently i have been getting pop ups.

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:48:51 PM, on 7/27/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qwerty12.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\srqmqcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\srqmqcsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\windows\system32\mmdsregk.exe
C:\WINDOWS\System32\qwinnndt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kalef\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tydjlyeo.dll
O2 - BHO: (no name) - {DE59DB64-6889-4645-AEDE-CD5991FAB634} - C:\WINDOWS\System32\gebya.dll
O2 - BHO: (no name) - {FFDB5299-AB15-4477-AEC0-D8C22AFB745E} - C:\WINDOWS\System32\gebya.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srqmqcsA] C:\WINDOWS\srqmqcsA.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [{94-42-2B-B6-ZN}] c:\windows\system32\mmdsregk.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinnndt.exe SKY009
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\System32\ouyilyml.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-408939405-2699939882-557728558-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-408939405-2699939882-557728558-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Amair')
O4 - S-1-5-21-408939405-2699939882-557728558-1007 Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'Amair')
O4 - S-1-5-21-408939405-2699939882-557728558-1007 Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinnndt.exe (User 'Amair')
O4 - S-1-5-21-408939405-2699939882-557728558-1007 User Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'Amair')
O4 - S-1-5-21-408939405-2699939882-557728558-1007 User Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinnndt.exe (User 'Amair')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinnndt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: gebya - C:\WINDOWS\System32\gebya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - C:\WINDOWS\System32\zpuwriz.dll
O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\srqmqcs.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Viewpoint\projyd.html

--
End of file - 5224 bytes

Trogan · July 2007

Hi Bigboi8899,

You have an unpatched copy of Windows, and on top of that NO Anti-Virus or Firewall protection at all. All of this is the reason why your computer is heavily infected, and your computer will continue to become infected until you take action to secure and update your system.

The first step is to download and install Microsoft Service Pack 1a immediately. Once you have updated, run HijackThis and post a new scan.

Bigboi8899 · July 2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:40:29 PM, on 7/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qwerty12.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\srqmqcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\srqmqcsA.exe
c:\windows\system32\mmdsregk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\qwinnndt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kalef\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tydjlyeo.dll
O2 - BHO: (no name) - {DFD6122B-F891-41CC-AF5F-A1CE2C1A1633} - C:\WINDOWS\System32\gebya.dll
O2 - BHO: (no name) - {FFDB5299-AB15-4477-AEC0-D8C22AFB745E} - C:\WINDOWS\System32\gebya.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srqmqcsA] C:\WINDOWS\srqmqcsA.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [{94-42-2B-B6-ZN}] c:\windows\system32\mmdsregk.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinnndt.exe SKY009
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\System32\ouyilyml.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinnndt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: gebya - C:\WINDOWS\System32\gebya.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - C:\WINDOWS\System32\zpuwriz.dll
O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\srqmqcs.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Viewpoint\projyd.html

--
End of file - 4464 bytes

Trogan · July 2007

Good job! You have a lot of malware, so it will take a few rounds to clean everything.

You need to install one Anti-Virus and Firewall program from the following list - They are Free!

Firewall
Comodo << I recommend this
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall

Anti-Virus
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Run a Full System Scan with your Anti-Virus program, and let it remove whatever it finds.

Once that is done, do the following...

1. You're using an older version of HijackThis. Please uninstall this version fromm Add/Remove programs, and then follow the instructions below:

Download HJTInstall.exe to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

2. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. Please post the following...

ComboFix log
New HijackThis log

Bigboi8899 · July 2007

I have downloaded a firewall and an anti-virus program. Here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:34 AM, on 7/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\tydjlyeo.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - C:\WINDOWS\System32\zpuwriz.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Viewpoint\projyd.html

--
End of file - 4242 bytes

and my Combofix log

"Kalef" - 2007-07-28 9:44:22 - ComboFix 07-07-23.6 - Service Pack 1 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\aybeg.tmp
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\aybeg.tmp
C:\WINDOWS\system32\gebya.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Kalef\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Kalef\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\Kalef\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\Kalef\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Sheldon\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\Sheldon\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Kalef.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\video activex access
C:\Program Files\video activex access\iesbpl.dll
C:\Program Files\video activex access\iesbunst.exe
C:\Program Files\video activex access\imsmn.exe
C:\Program Files\video activex access\imsunst.exe
C:\Program Files\video activex access\ot.ico
C:\Program Files\video activex access\ts.ico
C:\Program Files\video activex access\uninst.exe
C:\Program Files\Viewpoint\projyd.html
C:\temp\tn3
C:\WINDOWS\DOWNLO~1.\xpreload.ocx
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G1\kmhp83122.exe
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr725.exe
C:\WINDOWS\system32\G5
C:\WINDOWS\system32\G5\tns2.exe
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\mmdsregk.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

\LEGACY_CORE

\LEGACY_DOMAINSERVICE

\LEGACY_FOPN

\LEGACY_NET_AGENT

\LEGACY_WINDOWS_OVERLAY_COMPONENTS

\core

\DomainService

\Net Agent

\Windows Overlay Components

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))

2007-07-28 09:43 51,200 --a

C:\WINDOWS\nircmd.exe
2007-07-28 09:40 <DIR> d

C:\Program Files\Trend Micro
2007-07-28 08:37 126,016 --a

C:\WINDOWS\system32\muqhrpwq.dll
2007-07-28 08:34 66,112 --a

C:\WINDOWS\system32\gfvsjrac.exe
2007-07-28 08:31 <DIR> d

C:\DOCUME~1\Kalef\APPLIC~1\Comodo
2007-07-28 08:31 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-28 08:29 <DIR> d

C:\Program Files\Comodo
2007-07-28 08:25 66,112 --a

C:\WINDOWS\system32\rndcuvjp.exe
2007-07-27 21:39 66,112 --a

C:\WINDOWS\system32\gyvnlvad.exe
2007-07-27 21:36 <DIR> d

C:\WINDOWS\Prefetch
2007-07-27 21:24 <DIR> d

C:\WINDOWS\ServicePackFiles
2007-07-27 21:24 <DIR> d

C:\WINDOWS\ehome
2007-07-27 20:59 9,856 --a

C:\WINDOWS\system32\drivers\tunmp.sys
2007-07-27 20:59 9,216 --a

C:\WINDOWS\system32\wuauserv.dll
2007-07-27 20:59 88,064 --a

C:\WINDOWS\system32\tscfgwmi.dll
2007-07-27 20:59 86,528 --a

C:\WINDOWS\system32\wlnotify.dll
2007-07-27 20:59 86,016 --a

C:\WINDOWS\system32\xactsrv.dll
2007-07-27 20:59 82,944 --a

C:\WINDOWS\system32\smlogsvc.exe
2007-07-27 20:59 81,920 --a

C:\WINDOWS\system32\trkwks.dll
2007-07-27 20:59 77,824 --a

C:\WINDOWS\system32\wmpstub.exe
2007-07-27 20:59 71,168 --a

C:\WINDOWS\system32\telnet.exe
2007-07-27 20:59 71,168 --a

C:\WINDOWS\system32\storprop.dll
2007-07-27 20:59 674,816 --a

C:\WINDOWS\system32\sxs.dll
2007-07-27 20:59 667,648 --a

C:\WINDOWS\system32\ss3dfo.scr
2007-07-27 20:59 66,560 --a

C:\WINDOWS\system32\spoolss.dll
2007-07-27 20:59 66,048 --a

C:\WINDOWS\system32\sigverif.exe
2007-07-27 20:59 638,976 --a

C:\WINDOWS\system32\sstext3d.scr
2007-07-27 20:59 63,488 --a

C:\WINDOWS\system32\srclient.dll
2007-07-27 20:59 62,976 --a

C:\WINDOWS\system32\shgina.dll
2007-07-27 20:59 61,952 --a

C:\WINDOWS\system32\webclnt.dll
2007-07-27 20:59 61,952 --a

C:\WINDOWS\system32\sti.dll
2007-07-27 20:59 60,416 --a

C:\WINDOWS\system32\wextract.exe
2007-07-27 20:59 60,416 --a

C:\WINDOWS\system32\shimeng.dll
2007-07-27 20:59 569,344 --a

C:\WINDOWS\system32\sspipes.scr
2007-07-27 20:59 56,832 --a

C:\WINDOWS\system32\wzcdlg.dll
2007-07-27 20:59 534,016 --a

C:\WINDOWS\system32\spider.exe
2007-07-27 20:59 51,200 --a

C:\WINDOWS\system32\wmerrenu.dll
2007-07-27 20:59 5,504 --a

C:\WINDOWS\system32\drivers\smbali.sys
2007-07-27 20:59 49,664 --a

C:\WINDOWS\system32\vfwwdm32.dll
2007-07-27 20:59 48,640 --a

C:\WINDOWS\system32\vdmredir.dll
2007-07-27 20:59 48,128 --a

C:\WINDOWS\system32\winsta.dll
2007-07-27 20:59 479,261 --a

C:\WINDOWS\system32\vbscript.dll
2007-07-27 20:59 47,616 --a

C:\WINDOWS\system32\utilman.exe
2007-07-27 20:59 446,464 --a

C:\WINDOWS\system32\wmvdmoe.dll
2007-07-27 20:59 43,008 --a

C:\WINDOWS\system32\ssdpsrv.dll
2007-07-27 20:59 420,864 --a

C:\WINDOWS\system32\shimgvw.dll
2007-07-27 20:59 409,088 --a

C:\WINDOWS\system32\vssapi.dll
2007-07-27 20:59 40,960 --a

C:\WINDOWS\system32\tscupgrd.exe
2007-07-27 20:59 385,024 --a

C:\WINDOWS\system32\sqlsrv32.dll
2007-07-27 20:59 384,000 --a

C:\WINDOWS\system32\themeui.dll
2007-07-27 20:59 38,912 --a

C:\WINDOWS\system32\wsnmp32.dll
2007-07-27 20:59 364,544 --a

C:\WINDOWS\system32\ssflwbox.scr
2007-07-27 20:59 339,456 --a

C:\WINDOWS\system32\usp10.dll
2007-07-27 20:59 334,848 --a

C:\WINDOWS\system32\smlogcfg.dll
2007-07-27 20:59 33,280 --a

C:\WINDOWS\system32\shmgrate.exe
2007-07-27 20:59 32,256 --a

C:\WINDOWS\system32\umandlg.dll
2007-07-27 20:59 316,416 --a

C:\WINDOWS\system32\zipfldr.dll
2007-07-27 20:59 311,327 --a

C:\WINDOWS\system32\wmv8dmod.dll
2007-07-27 20:59 296,448 --a

C:\WINDOWS\system32\wmstream.dll
2007-07-27 20:59 27,136 --a

C:\WINDOWS\system32\ssdpapi.dll
2007-07-27 20:59 266,752 --a

C:\WINDOWS\winhlp32.exe
2007-07-27 20:59 264,704 --a

C:\WINDOWS\system32\wzcsvc.dll
2007-07-27 20:59 251,904 --a

C:\WINDOWS\system32\strmdll.dll
2007-07-27 20:59 247,808 --a

C:\WINDOWS\system32\wow32.dll
2007-07-27 20:59 24,064 --a

C:\WINDOWS\system32\skeys.exe
2007-07-27 20:59 233,984 --a

C:\WINDOWS\system32\tapisrv.dll
2007-07-27 20:59 231,424 --a

C:\WINDOWS\system32\upnpui.dll
2007-07-27 20:59 23,552 --a

C:\WINDOWS\system32\wzcsapi.dll
2007-07-27 20:59 226,304 --a

C:\WINDOWS\system32\srrstr.dll
2007-07-27 20:59 22,528 --a

C:\WINDOWS\system32\slayerxp.dll
2007-07-27 20:59 22,528 --a

C:\WINDOWS\system32\shfolder.dll
2007-07-27 20:59 22,016 --a

C:\WINDOWS\system32\udhisapi.dll
2007-07-27 20:59 203,264 --a

C:\WINDOWS\system32\uxtheme.dll
2007-07-27 20:59 200,192 --a

C:\WINDOWS\system32\termsrv.dll
2007-07-27 20:59 19,456 --a

C:\WINDOWS\system32\ssmarque.scr
2007-07-27 20:59 189,440 --a

C:\WINDOWS\system32\wuaueng.dll
2007-07-27 20:59 18,944 --a

C:\WINDOWS\system32\ssbezier.scr
2007-07-27 20:59 172,664 --a

C:\WINDOWS\system32\xenroll.dll
2007-07-27 20:59 171,520 --a

C:\WINDOWS\system32\winmm.dll
2007-07-27 20:59 17,408 --a

C:\WINDOWS\system32\wtsapi32.dll
2007-07-27 20:59 17,408 --a

C:\WINDOWS\system32\ssmyst.scr
2007-07-27 20:59 168,448 --a

C:\WINDOWS\system32\wldap32.dll
2007-07-27 20:59 165,376 --a

C:\WINDOWS\system32\w32time.dll
2007-07-27 20:59 165,376 --a

C:\WINDOWS\system32\tapi32.dll
2007-07-27 20:59 164,864 --a

C:\WINDOWS\system32\upnphost.dll
2007-07-27 20:59 16,896 --a

C:\WINDOWS\system32\snmpapi.dll
2007-07-27 20:59 16,384 --a

C:\WINDOWS\system32\watchdog.sys
2007-07-27 20:59 16,384 --a

C:\WINDOWS\system32\ups.exe
2007-07-27 20:59 158,720 --a

C:\WINDOWS\system32\srsvc.dll
2007-07-27 20:59 139,776 --a

C:\WINDOWS\system32\wuauclt.exe
2007-07-27 20:59 130,560 --a

C:\WINDOWS\system32\sti_ci.dll
2007-07-27 20:59 13,312 --a

C:\WINDOWS\system32\wship6.dll
2007-07-27 20:59 13,312 --a

C:\WINDOWS\system32\ssstars.scr
2007-07-27 20:59 128,512 --a

C:\WINDOWS\system32\taskmgr.exe
2007-07-27 20:59 124,928 --a

C:\WINDOWS\system32\webvw.dll
2007-07-27 20:59 120,320 --a

C:\WINDOWS\system32\upnp.dll
2007-07-27 20:59 119,808 --a

C:\WINDOWS\system32\wiadss.dll
2007-07-27 20:59 118,784 --a

C:\WINDOWS\system32\wmsdmoe.dll
2007-07-27 20:59 117,760 --a

C:\WINDOWS\system32\stobject.dll
2007-07-27 20:59 11,776 --a

C:\WINDOWS\system32\sigtab.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
2007-07-27 12:21 69184 --a

C:\WINDOWS\System32\tydjlyeo.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\System32\WinNB58.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-19 22:43]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 18:32]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 18:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-28 08:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-28 08:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 06:41]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Viewpoint\projyd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"= C:\WINDOWS\System32\zpuwriz.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\System32\ljjjkig.dll [2007-07-26 23:08 31254]

R0 Inspect;Comodo Network Engine;C:\WINDOWS\System32\DRIVERS\inspect.sys
R0 Vmodem;XP Vmodem;C:\WINDOWS\System32\DRIVERS\vmodem.sys
R0 Vpctcom;XP Vpctcom;C:\WINDOWS\System32\DRIVERS\vpctcom.sys
R0 Vvoice;XP Vvoice;C:\WINDOWS\System32\DRIVERS\vvoice.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\System32\DRIVERS\cmdmon.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\System32\DRIVERS\e100b325.sys
R3 LVBulk;LVBulk Service;C:\WINDOWS\System32\DRIVERS\LVBulk.sys
R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\System32\DRIVERS\LV551AV.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 ApiMon;ApiMon;\??\C:\WINDOWS\System32\drivers\ApiMon.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 09:51:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-28 9:53:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-28 09:53

--- E O F ---

Trogan · July 2007

Hi Bigboi8899! Good job.

I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

Bigboi8899 · July 2007

Adobe Flash Player Plugin
AIM 6
AVG 7.5
COMODO Firewall Pro
HijackThis 2.0.0
home box office Screen Saver
Java(TM) 6 Update 2
Logitech ImageStudio
Macromedia Flash Player 8
Messenger Service
Mirar
Mozilla Firefox (2.0.0.5)
Opera 9.22
RealPlayer
Video AX Object 2.07
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Service Pack 1a
WinRAR archiver

Trogan · July 2007

Hi,

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Windows Overlay Components

2. Open Notepad (Start > Run > type: Notepad > OK)
Copy (Ctrl+C) and paste (Ctrl+V) the following text in the Quote Box to Notepad.

@echo off
sc stop "DomainService"
sc delete "DomainService"
sc stop "Net Agent"
sc delete "Net Agent"
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"
exit

Go to File > Save
Save File name as "FixServices.bat" (including the Quotes). Please save it on your desktop.
Double click FixServices.bat on your Desktop. A window will open and close. This is normal.

3. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

4. Post the SmitfraudFix report back here.

Bigboi8899 · July 2007

SmitFraudFix v2.207

Scan done at 10:37:45.42, Mon 07/30/2007
Run from C:\Documents and Settings\Kalef\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kalef

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kalef\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kalef\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Viewpoint\\projyd.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"="adirondack"

[HKEY_CLASSES_ROOT\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\System32\zpuwriz.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\System32\zpuwriz.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{18595CEF-4433-4B31-BA27-611D3032299B}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{18595CEF-4433-4B31-BA27-611D3032299B}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{18595CEF-4433-4B31-BA27-611D3032299B}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Trogan · July 2007

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:

c:\rapport.txt
AVG Anti-Spyware log
A new HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.

Spyware Help

Comments