Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > System Alert Popups etc...

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

System Alert Popups etc...

Reply to Message Icon

Name: Myrrdin
Date: November 6, 2007 at 21:29:07 Pacific
OS: Windows Xp service pack 2
CPU/Ram: Celeron (R) 512 md of ram
Product: dell
Comment:

Please Help I have no idea how to fix my computer, recently ive started to receive these system alert pop ups that appear near the clock on the lower right side of the desktop, also a little yellow triangle with an ! appear next to the time. Also about every 2 min about 3 pop ups appear saying i need to download some anti virus software. I have ran spybot, bitdefender, combo fix, drweb-cureit, and SDfix.



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: November 7, 2007 at 04:01:12 Pacific
Reply:

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!


Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


0

Response Number 2
Name: Myrrdin
Date: November 7, 2007 at 10:49:46 Pacific
Reply:

ok here is the SmitfraudFix and HijackThis logs

SmitFraudFix v2.250

Scan done at 13:42:00.68, 2007-11-07
Run from C:\Documents and Settings\Owner\Local Settings\temp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.15.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:46, on 2007-11-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {68c6f595-7d96-2fb8-03d4-5c9593487b03} - {30b78439-59c5-4d30-8bf2-69d7595f6c86} - C:\WINDOWS\system32\kxrgyytx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6d866211-621e-4ea0-87dc-129f1cf34ed8} - C:\WINDOWS\system32\epojgfu.dll (file missing)
O2 - BHO: 0 - {7098793B-FC9F-45F7-9AA6-C662F599E32B} - C:\Program Files\MSN Gaming Zone\lagubikab332.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qtzikieg.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\nnnkigh.dll
O2 - BHO: (no name) - {E4E375CA-DB09-4623-8EDE-90F8CB6AB79B} - C:\Program Files\Online Services\hotehyj83122.dll (file missing)
O2 - BHO: (no name) - {ED5D513E-0D23-445B-B6FC-B66812BE01BC} - C:\Program Files\Online Services\hotehyj4444.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qtzikieg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [{47-7A-A0-01-ZN}] C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [c4f47aae] rundll32.exe "C:\WINDOWS\system32\yfrcwnhy.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'nikki')
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'nikki')
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp (User 'nikki')
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe" (User 'nikki')
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'nikki')
O4 - HKUS\S-1-5-21-1214440339-1303643608-682003330-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'nikki')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O20 - Winlogon Notify: nksjmctd - C:\WINDOWS\
O20 - Winlogon Notify: nnnkigh - C:\WINDOWS\SYSTEM32\nnnkigh.dll
O20 - Winlogon Notify: qtzikieg - C:\WINDOWS\SYSTEM32\qtzikieg.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8221 bytes



0

Response Number 3
Name: Intel 80486 (by meisinscotland)
Date: November 7, 2007 at 14:34:04 Pacific
Reply:

Yep, that's smitfraud. Work your magic Jabuck, and welcome back! Not seen you for a while.

    
 

My blog


0

Response Number 4
Name: jabuck
Date: November 7, 2007 at 14:53:07 Pacific
Reply:

Temporarily disable any of the following anti-spyware realtime protection programs that you may have or the fixes will not work Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd"
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Your java is out of date and can be exploited.

Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

And then post a new Hijack This log please.


0

Response Number 5
Name: Myrrdin
Date: November 7, 2007 at 21:11:58 Pacific
Reply:

OK here are the new logs


SmitFraudFix v2.250

Scan done at 23:27:03.40, 2007-11-07
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3D9744B-A62D-4AAA-846D-8806C14A9045}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


ComboFix 07-11-01.1** - Owner 2007-11-07 23:37:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -5:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\qtzikieg.dllbox
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\nksjmctd.dllbox
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\qtzikieg.dllbox
C:\WINDOWS\system32\vturq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\cmdService
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 13:46 <DIR> d----c--- C:\Program Files\Trend Micro
2007-11-07 00:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-07 00:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-07 00:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-07 00:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-07 00:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-06 13:30 71,232 --a------ C:\WINDOWS\system32\xqccayhh.exe
2007-11-06 13:28 145,984 --a------ C:\WINDOWS\system32\qtzikieg.dll
2007-11-06 13:27 145,984 --a------ C:\WINDOWS\system32\sxynfpcv.dll
2007-11-06 01:55 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2007-11-06 01:42 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-06 00:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 22:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2007-11-05 22:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-05 20:56 83,008 --a------ C:\WINDOWS\system32\mclvklmj.dll
2007-11-05 20:44 340,032 --a------ C:\WINDOWS\system32\nlnicnjd.dll
2007-11-05 20:44 340,032 --ah----- C:\WINDOWS\system32\nksjmctd.dll
2007-11-05 19:31 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-05 19:27 <DIR> d----c--- C:\Program Files\BitDefender
2007-11-05 19:21 <DIR> d----c--- C:\Program Files\Common Files\BitDefender
2007-11-05 19:02 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-05 18:59 35,328 --a------ C:\WINDOWS\system32\nnnkigh.dll
2007-11-05 18:59 786 --a--c--- C:\4039.bat
2007-11-05 18:59 0 --a--c--- C:\z.dat
2007-11-05 18:58 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-11-05 18:58 <DIR> d----c--- C:\Temp\mZOr
2007-11-05 18:58 <DIR> d----c--- C:\Temp
2007-11-05 18:55 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-05 18:55 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-05 18:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-05 17:50 <DIR> d----c--- C:\Program Files\Enigma Software Group
2007-10-23 23:54 <DIR> d----c--- C:\Program Files\CCP
2007-10-22 23:45 <DIR> d----c--- C:\Program Files\Microsoft Games
2007-10-22 22:27 <DIR> d----c--- C:\Program Files\Freeciv-2.0.9-gtk2
2007-10-21 22:26 <DIR> d----c--- C:\Program Files\GameTap
2007-10-21 22:26 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GameTap
2007-10-18 12:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Legends of pirates
2007-10-10 02:01 <DIR> d----c--- C:\99a0f02497cbf1daf58b

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 04:27 3,092 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-06 04:42 --------- dc----w C:\Program Files\psdriver
2007-11-06 00:19 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 19:11 --------- dc----w C:\Program Files\Doras Carnival 2 At the Boardwalk
2007-10-30 21:00 79,875 ----a-w C:\WINDOWS\system32\adssite-remove.exe
2007-10-29 20:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-10-23 03:46 --------- dc----w C:\Program Files\LimeWire
2007-10-04 16:04 --------- dc----w C:\Program Files\Lit and LA
2007-10-04 16:03 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-10-03 16:35 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-10-02 22:03 --------- dc----w C:\Program Files\MostFun
2007-10-02 22:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\MostFun
2007-09-29 14:51 --------- dc----w C:\Program Files\Microsoft Silverlight
2007-09-27 02:31 --------- dc----w C:\Program Files\WildGames
2007-09-27 02:31 --------- dc----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-09-26 02:31 --------- dc----w C:\Program Files\7-Zip
2007-09-26 01:54 --------- dc----w C:\Program Files\Kotor Tool
2007-09-25 16:01 87,824 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-09-19 16:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-09-19 00:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\ForgottenRiddles
2007-09-18 16:33 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-16 20:58 40,315 ----a-w C:\WINDOWS\system32\gzmrot-uninst.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 17:58 75,264 ----a-w C:\WINDOWS\system32\ninjaext.dll
2007-08-15 21:25 9,298,004 -c--a-w C:\Documents and Settings.zip
2007-08-15 18:24 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 1.21.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.exe
+ 2007-11-06 06:42:34 4,210,688 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-11-06 06:42:35 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.exe
+ 2007-11-06 06:42:32 4,210,688 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-11-06 06:42:32 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
- 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:34 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30b78439-59c5-4d30-8bf2-69d7595f6c86}]
C:\WINDOWS\system32\kxrgyytx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d866211-621e-4ea0-87dc-129f1cf34ed8}]
C:\WINDOWS\system32\epojgfu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7098793B-FC9F-45F7-9AA6-C662F599E32B}]
C:\Program Files\MSN Gaming Zone\lagubikab332.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-06 13:28 145984 --a------ C:\WINDOWS\system32\qtzikieg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-05 18:59 35328 --a------ C:\WINDOWS\system32\nnnkigh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4E375CA-DB09-4623-8EDE-90F8CB6AB79B}]
C:\Program Files\Online Services\hotehyj83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED5D513E-0D23-445B-B6FC-B66812BE01BC}]
C:\Program Files\Online Services\hotehyj4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{381FFDE8-2394-4f90-B10D-FC6124A40F8C}"= C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2007-10-02 11:38 91432]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\qtzikieg.dll [2007-11-06 13:28 145984]

[HKEY_CLASSES_ROOT\CLSID\{381FFDE8-2394-4f90-B10D-FC6124A40F8C}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\qtzikieg.dll [2007-11-06 13:28 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 05:23]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 17:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 17:19]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 00:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.exe" [2004-06-16 01:17]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 21:37]
"{47-7A-A0-01-ZN}"="C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-08-27 15:24]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"c4f47aae"="C:\WINDOWS\system32\yfrcwnhy.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"PaSystem"="C:\Program Files\pasystem\pasystem.exe" []
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2007-08-13 12:22:05]
Adobe Reader Speed Launch.lnk.disabled [2007-03-05 05:02:57]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 21:43:32]
Kodak EasyShare software.lnk.disabled [2006-11-15 07:46:29]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\nnnkigh.dll [2007-11-05 18:59 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nksjmctd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkigh]
nnnkigh.dll 2007-11-05 18:59 35328 C:\WINDOWS\system32\nnnkigh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qtzikieg]
qtzikieg.dll 2007-11-06 13:28 145984 C:\WINDOWS\system32\qtzikieg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"win32060943-99061"=C:\WINDOWS\win32060943-99061.exe
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"sys030610943-99"=C:\WINDOWS\sys030610943-99.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"ms060943-99061"=C:\WINDOWS\ms060943-99061.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 16:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 23:45:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 23:48:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 01:24
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:35 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {68c6f595-7d96-2fb8-03d4-5c9593487b03} - {30b78439-59c5-4d30-8bf2-69d7595f6c86} - C:\WINDOWS\system32\kxrgyytx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6d866211-621e-4ea0-87dc-129f1cf34ed8} - C:\WINDOWS\system32\epojgfu.dll (file missing)
O2 - BHO: 0 - {7098793B-FC9F-45F7-9AA6-C662F599E32B} - C:\Program Files\MSN Gaming Zone\lagubikab332.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qtzikieg.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\nnnkigh.dll
O2 - BHO: (no name) - {E4E375CA-DB09-4623-8EDE-90F8CB6AB79B} - C:\Program Files\Online Services\hotehyj83122.dll (file missing)
O2 - BHO: (no name) - {ED5D513E-0D23-445B-B6FC-B66812BE01BC} - C:\Program Files\Online Services\hotehyj4444.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qtzikieg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [{47-7A-A0-01-ZN}] C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [c4f47aae] rundll32.exe "C:\WINDOWS\system32\yfrcwnhy.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O20 - Winlogon Notify: nksjmctd - C:\WINDOWS\
O20 - Winlogon Notify: nnnkigh - C:\WINDOWS\SYSTEM32\nnnkigh.dll
O20 - Winlogon Notify: qtzikieg - C:\WINDOWS\SYSTEM32\qtzikieg.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7396 bytes


0

Related Posts

See More



Response Number 6
Name: jabuck
Date: November 8, 2007 at 05:22:03 Pacific
Reply:

Pleas go to start> control panel> add/remove programs and uninstall this program:

LimeWire

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\nksjmctd.dllbox
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\qtzikieg.dllbox
C:\WINDOWS\system32\qtzikieg.dll
C:\WINDOWS\system32\xqccayhh.exe
C:\WINDOWS\system32\sxynfpcv.dll
C:\WINDOWS\system32\mclvklmj.dll
C:\WINDOWS\system32\nlnicnjd.dll
C:\WINDOWS\system32\nksjmctd.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nksjmctd.dll
C:\WINDOWS\system32\yfrcwnhy.dll
C:\Program Files\pasystem\pasystem.exe
C:\4039.bat
C:\z.dat

Folder::
C:\WINDOWS\system32\Mz18r
C:\Temp\mZOr
C:\Program Files\pasystem

Drivers::
nksjmctd
nnnkigh
qtzikieg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30b78439-59c5-4d30-8bf2-69d7595f6c86}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d866211-621e-4ea0-87dc-129f1cf34ed8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7098793B-FC9F-45F7-9AA6-C662F599E32B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4E375CA-DB09-4623-8EDE-90F8CB6AB79B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED5D513E-0D23-445B-B6FC-B66812BE01BC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nksjmctd]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkigh]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qtzikieg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"win32060943-99061"=-
"sys030610943-99"=-
"ms060943-99061"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items if found and press "fix checked".

O2 - BHO: {68c6f595-7d96-2fb8-03d4-5c9593487b03} - {30b78439-59c5-4d30-8bf2-69d7595f6c86} - C:\WINDOWS\system32\kxrgyytx.dll (file missing)

O2 - BHO: (no name) - {6d866211-621e-4ea0-87dc-129f1cf34ed8} - C:\WINDOWS\system32\epojgfu.dll (file missing)

O2 - BHO: 0 - {7098793B-FC9F-45F7-9AA6-C662F599E32B} - C:\Program Files\MSN Gaming Zone\lagubikab332.dll (file missing)

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qtzikieg.dll

O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\nnnkigh.dll

O2 - BHO: (no name) - {E4E375CA-DB09-4623-8EDE-90F8CB6AB79B} - C:\Program Files\Online Services\hotehyj83122.dll (file missing)

O2 - BHO: (no name) - {ED5D513E-0D23-445B-B6FC-B66812BE01BC} - C:\Program Files\Online Services\hotehyj4444.dll (file missing)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qtzikieg.dll

O4 - HKLM\..\Run: [{47-7A-A0-01-ZN}] C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe P2D002

O4 - HKLM\..\Run: [c4f47aae] rundll32.exe "C:\WINDOWS\system32\yfrcwnhy.dll",b

O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"

O20 - Winlogon Notify: nksjmctd - C:\WINDOWS\

O20 - Winlogon Notify: nnnkigh - C:\WINDOWS\SYSTEM32\nnnkigh.dll

O20 - Winlogon Notify: qtzikieg - C:\WINDOWS\SYSTEM32\qtzikieg.dll

Exit Hijack This.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new Combofix log and a new Hijack This log please.


0

Response Number 7
Name: Myrrdin
Date: November 8, 2007 at 07:02:17 Pacific
Reply:

ok here are the reports after I did all the above things


ComboFix 07-11-01.1** - Owner 2007-11-08 9:53:27.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 00:01 <DIR> d----c--- C:\Program Files\Common Files\Java
2007-11-07 13:46 <DIR> d----c--- C:\Program Files\Trend Micro
2007-11-07 00:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-07 00:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-07 00:09 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-07 00:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-07 00:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-06 01:55 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2007-11-06 01:42 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-06 00:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 22:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2007-11-05 22:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-05 19:31 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-05 19:27 <DIR> d----c--- C:\Program Files\BitDefender
2007-11-05 19:21 <DIR> d----c--- C:\Program Files\Common Files\BitDefender
2007-11-05 19:02 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-05 18:58 <DIR> d----c--- C:\Temp
2007-11-05 18:55 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-05 18:55 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-05 18:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-05 17:50 <DIR> d----c--- C:\Program Files\Enigma Software Group
2007-10-22 23:45 <DIR> d----c--- C:\Program Files\Microsoft Games
2007-10-22 22:27 <DIR> d----c--- C:\Program Files\Freeciv-2.0.9-gtk2
2007-10-21 22:26 <DIR> d----c--- C:\Program Files\GameTap
2007-10-21 22:26 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GameTap
2007-10-18 12:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Legends of pirates
2007-10-10 02:01 <DIR> d----c--- C:\99a0f02497cbf1daf58b

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 14:11 --------- dc----w C:\Program Files\LimeWire
2007-11-08 05:02 --------- dc----w C:\Program Files\Java
2007-11-08 04:27 3,092 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-06 04:42 --------- dc----w C:\Program Files\psdriver
2007-11-06 00:19 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 19:11 --------- dc----w C:\Program Files\Doras Carnival 2 At the Boardwalk
2007-10-30 21:00 79,875 ----a-w C:\WINDOWS\system32\adssite-remove.exe
2007-10-29 20:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-10-04 16:04 --------- dc----w C:\Program Files\Lit and LA
2007-10-04 16:03 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-10-03 16:35 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-10-02 22:03 --------- dc----w C:\Program Files\MostFun
2007-09-29 14:51 --------- dc----w C:\Program Files\Microsoft Silverlight
2007-09-27 02:31 --------- dc----w C:\Program Files\WildGames
2007-09-27 02:31 --------- dc----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-09-26 02:31 --------- dc----w C:\Program Files\7-Zip
2007-09-26 01:54 --------- dc----w C:\Program Files\Kotor Tool
2007-09-25 16:01 87,824 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-09-19 16:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-09-19 00:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\ForgottenRiddles
2007-09-18 16:33 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-16 20:58 40,315 ----a-w C:\WINDOWS\system32\gzmrot-uninst.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 17:58 75,264 ----a-w C:\WINDOWS\system32\ninjaext.dll
2007-08-15 21:25 9,298,004 -c--a-w C:\Documents and Settings.zip
2007-08-15 18:24 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 1.21.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.exe
+ 2007-11-06 06:42:34 4,210,688 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-11-06 06:42:35 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.exe
+ 2007-11-06 06:42:32 4,210,688 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-11-06 06:42:32 122,880 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-11-08 06:05:48 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\cc819954\1b6ebfc6\7bl2f0-u.dll
+ 2007-11-08 06:14:11 3,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\cc819954\1b6ebfc6\hc-6n_t8.dll
+ 2007-11-08 06:05:46 4,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\cc819954\1b6ebfc6\wvoosgnp.dll
- 2006-12-15 08:30:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-15 08:31:06 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-15 10:09:14 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:34 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{381FFDE8-2394-4f90-B10D-FC6124A40F8C}"= C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2007-10-02 11:38 91432]

[HKEY_CLASSES_ROOT\CLSID\{381FFDE8-2394-4f90-B10D-FC6124A40F8C}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 17:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 17:19]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 00:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.exe" [2004-06-16 01:17]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 21:37]
"{47-7A-A0-01-ZN}"="C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-08-27 15:24]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2007-08-13 12:22:05]
Adobe Reader Speed Launch.lnk.disabled [2007-03-05 05:02:57]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 21:43:32]
Kodak EasyShare software.lnk.disabled [2006-11-15 07:46:29]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"Persistence"=C:\WINDOWS\system32\igfxpers.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 16:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 09:56:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 9:56:59
C:\ComboFix2.txt ... 2007-11-08 09:39
C:\ComboFix3.txt ... 2007-11-07 23:48
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:17 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [{47-7A-A0-01-ZN}] C:\Documents and Settings\DJ\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6151 bytes


0

Response Number 8
Name: jabuck
Date: November 8, 2007 at 07:19:42 Pacific
Reply:

That looks a lot better, probabaly entered your computer through LimeWire and the out of date Java. One file left to remove.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\ninjaext.dll


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

How is the computer operating?


0

Response Number 9
Name: Myrrdin
Date: November 8, 2007 at 12:20:27 Pacific
Reply:

Thank you so much, since the last post i haven't had any problems, the computer seems to be running faster and i havent had a pop up for hours now. Do you need the last Combofix log after I removed the C:\WINDOWS\system32\ninjaext.dll?


0

Response Number 10
Name: jabuck
Date: November 8, 2007 at 12:30:40 Pacific
Reply:

No, I don't think we need it.

Glad we could help.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: System Alert Popups etc...
System Alert Popup- Can't Remove www.computing.net/answers/security/system-alert-popup-cant-remove/20186.html

Anti-virims System Alert Popup www.computing.net/answers/security/antivirims-system-alert-popup/20104.html

System alert popup, unwipable! www.computing.net/answers/security/system-alert-popup-unwipable/20051.html