[AnthonyJ]

i was told to post this here, ive had 2 bsod of this to come up
STOP: 0x000000D1 (0xFF621894, 0x00000002, 0x00000000, oxFAE7638D)
GRTDIMON.sys - Address FAE7638D base at FAE74000

so i was told to run the hijackthis
here is what i get

Logfile of HijackThis v1.99.1
Scan saved at 11:51:29 AM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bradley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27B0B285-F4E0-01EB-B9E9-01ACF29A6D4C} - C:\WINDOWS\System32\nkpxykc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [strtas] lo71.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [mgsionf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mgsionf.dll,gchxgwe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {04546883-843B-6125-4C95-03C447675EE9} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {1EFC064C-8C69-7164-5933-365F0039C766} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt...m/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt...les/_ipsec_.cab
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt...les/epl99bd.cab
O16 - DPF: {53B6577D-EEC3-20D1-FFF1-791C5276D1FC} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {5DF49CF0-9577-2877-072C-24BB23C3FD0A} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {7C67CADC-914C-52D5-9449-29D221917F9B} - http://85.255.113.214/1/gdnUS2218.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

[Advertisements]

Hi AnthonyJ and Welcome to GeekstoGo!


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

[Wizard]

Hi AnthonyJ and Welcome to GeekstoGo!


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

[AnthonyJ]

SmitFraudFix v2.120

Scan done at 22:15:45.29, Fri 11/10/2006
Run from C:\Documents and Settings\Bradley\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bradley


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bradley\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRADLEY\FAVORI~1

C:\DOCUME~1\BRADLEY\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://lib.store.yah...168/spycam.jpg"
"SubscribedURL"="http://lib.store.yah...168/spycam.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://myspace-091.v...23385091_l.jpg"
"SubscribedURL"="http://myspace-091.v...23385091_l.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Wizard]

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


After posting C:\rapport.txt,Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

[AnthonyJ]

SmitFraudFix v2.120

Scan done at 23:06:34.13, Fri 11/10/2006
Run from C:\Documents and Settings\Bradley\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"fairydom"="{5839511e-ec1b-4f91-ace3-fb88e52f5239}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\BRADLEY\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Wizard]

Looking good so far,lets see the ComboFix results when your ready.

[AnthonyJ]

Anthony - 06-11-11 8:17:07.77 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Bradley\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.comC:\Program Files\Common Files\inetget
C:\Program Files\quick links
C:\Program Files\winupdates
C:\WINDOWS\system32\components
C:\Program Files\Common Files\inetget


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-10 23:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-10 23:06 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-10 23:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-10 23:06 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-10 22:15 1,302 --a------ C:\WINDOWS\system32\tmp.reg
2006-10-21 04:52 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-19 19:40 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-10-19 19:40 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-10-19 19:40 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-10-19 19:40 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-10-19 19:38 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-10-19 19:38 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-10-19 19:37 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-10-19 19:37 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-10-19 19:37 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-10-19 19:37 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-10-19 19:37 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-10-19 19:37 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-10-19 19:37 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-10-19 19:37 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-10-19 19:37 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-10-19 19:37 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-10-19 19:34 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-10-19 19:34 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-10-19 19:33 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-10-19 19:30 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-19 19:30 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-19 19:30 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-19 19:30 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-19 19:30 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-19 19:30 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-10-19 18:07 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-19 16:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-19 16:29 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-10-19 16:29 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-10-19 16:29 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-19 16:29 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-19 16:29 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-19 16:29 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-19 16:29 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-19 16:28 23,040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-10-19 16:28 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-19 16:28 128,896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-10-19 16:17 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2006-10-19 16:17 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2006-10-19 16:17 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2006-10-19 16:16 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2006-10-19 16:16 8,192 --a------ C:\WINDOWS\system32\staxmem.dll
2006-10-19 16:16 68,608 --a------ C:\WINDOWS\system32\iisext.dll
2006-10-19 16:16 64,512 --a------ C:\WINDOWS\system32\iismap.dll
2006-10-19 16:16 43,520 --a------ C:\WINDOWS\system32\admwprox.dll
2006-10-19 16:16 290,816 --a------ C:\WINDOWS\system32\adsiis.dll
2006-10-19 16:16 14,336 --a------ C:\WINDOWS\system32\exstrace.dll
2006-10-19 16:16 133,632 --a------ C:\WINDOWS\system32\iisRtl.dll
2006-10-19 16:16 13,312 --a------ C:\WINDOWS\system32\infoadmn.dll
2006-10-19 16:16 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2006-10-19 16:13 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys
2006-10-19 16:13 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-10-19 16:13 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2006-10-19 16:13 151,552 --a------ C:\WINDOWS\system32\irftp.exe
2006-10-19 16:02 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2006-10-19 15:52 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-19 15:52 13,312 --a------ C:\WINDOWS\system32\irclass.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 14:43 -------- d-------- C:\Documents and Settings\Bradley\Application Data\Apple Computer
2006-10-28 22:31 -------- d-------- C:\Program Files\Common Files\Java
2006-10-25 16:04 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-22 01:57 -------- d-------- C:\Program Files\Save Flash
2006-10-19 21:43 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-19 16:19 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-10-19 16:19 -------- d-------- C:\Program Files\Messenger
2006-10-11 10:43 -------- d-------- C:\Documents and Settings\Bradley\Application Data\InterTrust
2006-10-10 18:19 -------- d-------- C:\Documents and Settings\Bradley\Application Data\Google
2006-10-10 18:18 -------- d-------- C:\Program Files\Google
2006-10-10 15:10 325 --a------ C:\WINDOWS\initialize.bat
2006-10-10 14:48 -------- d-------- C:\Program Files\Netopia
2006-10-09 14:59 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-10-09 09:25 77 --a------ C:\CONFIG.SYS
2006-10-09 09:03 -------- d-------- C:\Program Files\PC Accelerator Professional
2006-10-06 15:19 -------- d-------- C:\Program Files\WinRAR
2006-10-06 10:34 -------- d-------- C:\Documents and Settings\Bradley\Application Data\WinPatrol
2006-10-03 21:41 -------- d-------- C:\Documents and Settings\Bradley\Application Data\Mozilla
2006-10-03 18:00 -------- d-------- C:\Documents and Settings\Bradley\Application Data\Adobe
2006-10-03 15:19 -------- d-------- C:\Program Files\Zero Knowledge
2006-10-03 12:23 -------- d-------- C:\Program Files\directx
2006-09-20 22:11 -------- d-------- C:\Program Files\JavaSoft
2006-09-20 22:10 -------- d-------- C:\Program Files\Viewpoint
2006-09-20 22:09 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-20 22:08 -------- d-------- C:\Program Files\Real
2006-09-18 21:58 -------- d-------- C:\Program Files\Microsoft Games
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-01 12:08 1334032 --a------ C:\WINDOWS\system32\msxml6.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"strtas"="lo71.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"FRISK FP-Scheduler"="C:\\Program Files\\FSI\\F-Prot\\F-Sched.exe STARTUP"
"F-StopW"="C:\\Program Files\\FSI\\F-Prot\\F-StopW.EXE"
"mgsionf.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\mgsionf.dll,gchxgwe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"PCPerf"=""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"=dword:00000000
"NoConfigPage"=dword:00000000
"NoVirtMemPage"=dword:00000000
"NoDevMgrPage"=dword:00000000
"DisableLockWorkstation"=dword:00000000
"NoCommonGroups"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"MemCheckBoxInRunDlg"=dword:00000000
"NoStrCmpLogical"=dword:00000000
"NoControlPanel"=dword:00000000
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoSMHelp"=dword:00000000
"NoInternetIcon"=dword:00000000
"NoDesktop"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoLogOff"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"NoResolveTrack"=dword:00000001
"NoInstrumentation"=dword:00000000
"NoRun"=dword:00000000
"NoStartBanner"=hex:01,00,00,00
"NoFileUrl"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoStartMenuMorePrograms"=dword:00000000
"NoDFSTab"=dword:00000000
"NoSecurityTab"=dword:00000000
"NoHardwareTab"=dword:00000000
"NoResolveSearch"=dword:00000000
"NoSMConfigurePrograms"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"LockTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"RunStartupScriptSync"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"=dword:00000000
"NoStrCmpLogical"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoSMConfigurePrograms"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"LockTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoStartMenuEjectPC"=dword:00000000
"StartMenuLogoff"=dword:00000000
"ForceStartMenuLogoff"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoStartMenuNetworkPlaces"=dword:00000000
"NoNetworkConnections"=dword:00000000
"DisablePersonalDirChange"=dword:00000000
"DisableMyPicturesDirChange"=dword:00000000
"DisableMyMusicDirChange"=dword:00000000
"DisableFavoritesDirChange"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoWindowsUpdate"=dword:00000000
"GreyMSIAds"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoPropertiesRecycleBin"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"SystemCheck2"="{54645654-2225-4455-44A1-9F4543D34546}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-11 19:55:13.45
C:\ComboFix.txt ... 06-11-11 19:55

Edited by AnthonyJ, 11 November 2006 - 07:01 PM.

[Wizard]

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {27B0B285-F4E0-01EB-B9E9-01ACF29A6D4C} - C:\WINDOWS\System32\nkpxykc.dll (file missing)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt1.dll (file missing)

O4 - HKLM\..\Run: [strtas] lo71.exe

O4 - HKLM\..\Run: [mgsionf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mgsionf.dll,gchxgwe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {04546883-843B-6125-4C95-03C447675EE9} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {1EFC064C-8C69-7164-5933-365F0039C766} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt...m/files/777.cab

O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt...les/_ipsec_.cab

O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt...les/epl99bd.cab

O16 - DPF: {53B6577D-EEC3-20D1-FFF1-791C5276D1FC} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {5DF49CF0-9577-2877-072C-24BB23C3FD0A} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {7C67CADC-914C-52D5-9449-29D221917F9B} - http://85.255.113.214/1/gdnUS2218.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction on the F-Secure page for proper installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[AnthonyJ]

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {27B0B285-F4E0-01EB-B9E9-01ACF29A6D4C} - C:\WINDOWS\System32\nkpxykc.dll (file missing)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt1.dll (file missing)

O4 - HKLM\..\Run: [strtas] lo71.exe

O4 - HKLM\..\Run: [mgsionf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mgsionf.dll,gchxgwe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {04546883-843B-6125-4C95-03C447675EE9} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {1EFC064C-8C69-7164-5933-365F0039C766} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt...m/files/777.cab

O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt...les/_ipsec_.cab

O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt...les/epl99bd.cab

O16 - DPF: {53B6577D-EEC3-20D1-FFF1-791C5276D1FC} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {5DF49CF0-9577-2877-072C-24BB23C3FD0A} - http://85.255.113.214/1/gdnUS2218.exe

O16 - DPF: {7C67CADC-914C-52D5-9449-29D221917F9B} - http://85.255.113.214/1/gdnUS2218.exe

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction on the F-Secure page for proper installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

keeps bringing up error id 24

[Wizard]

keeps bringing up error id 24

What keeps generating that error??

F-Secure??


Try this scanner,Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here

[AnthonyJ]

BitDefender Online Scanner - Real Time Virus Report
Generated at: Mon, Nov 13, 2006 - 16:37:28


Scan Info


Scanned Files
103569

Infected Files
2

Virus Detected

Trojan.Dagonit.INF
1

GenPack:Generic.Malware.Yd.4C88593A
1

[Wizard]

Was there anything else to the log?

[AnthonyJ]

that was all

[Wizard]

One more scan please.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[AnthonyJ]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 14, 2006 6:13:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/11/2006
Kaspersky Anti-Virus database records: 241138
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 21987
Number of viruses found: 4
Number of infected objects: 13 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:30

Infected Object Name / Virus Name / Last Action
C:\RECYCLED\Dc2.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLED\Dc2.zip ZIP: infected - 1 skipped
C:\ASTsetup.exe Infected: Trojan-Downloader.Win32.Small.bke skipped
C:\cxtpls_loader.exe Infected: Trojan.Win32.Crypt.t skipped
C:\small.exe/ngsh33.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\small.exe/sngsh33.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\small.exe SetupFactory: infected - 2 skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Installer_3.exe/sngsh35.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\WINDOWS\system32\Installer_3.exe/ngsh35.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b skipped
C:\WINDOWS\system32\Installer_3.exe SetupFactory: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bradley\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bradley\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bradley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bradley\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bradley\Local Settings\Application Data\Mozilla\Firefox\Profiles\0wh05f8n.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bradley\Local Settings\Application Data\Mozilla\Firefox\Profiles\0wh05f8n.default\Cache\633285D9d01 ZIP: infected - 1 skipped
C:\Documents and Settings\Bradley\Desktop\tools\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bradley\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bradley\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Bradley\ntuser.dat Object is locked skipped

Scan process completed.