Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

multiple trojans, malware, viruses, etc.

Started by anita1973 , Nov 25 2006 02:25 AM

  • This topic is locked This topic is locked

#16
Daemon
Posted 27 November 2006 - 01:13 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
They aren't related to Kaspersky - I don't know what they are. Let's stop them from running. Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "BK Bossd". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok. Repeat for:

BK FMS
BK Logd
BK OPKB
BK ROOT
BK SIMMGR
BK SyncTime
BK Timerd
BK Vhfd
BK Vhfd_SM
BK VLmon
BK WDT
BK Web Data Source Server
BK Web Extended Data Souce Server
BK Web Trend Data Source Server

Exit your way out of there.

I'd like to see an export of your registry key:

Click Start>Run and paste the following into the box, then click OK:

regedit /e C:\Notify.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

That will export the contents of the Registry Machine Run key to a C:\Notify.txt file. Copy and paste the contents of the Notify.txt file here.
  • 0

Advertisements

#17
anita1973
Posted 27 November 2006 - 10:20 AM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
By the way, the computer seems to be better already. :whistling: I did everything you said. Here's the info you wanted:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aqdywclx]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="aqdywclx.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\biyvkfcn]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="biyvkfcn.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bkkqnwut]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="bkkqnwut.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\elyutudy]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="elyutudy.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gkargbkc]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="gkargbkc.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iwukhwmn]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="iwukhwmn.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kyjrhyoi]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="kyjrhyoi.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lkcdmefe]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="lkcdmefe.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcetijni]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="mcetijni.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mwssallj]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="mwssallj.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\njlrmjqn]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="njlrmjqn.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skyctewh]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="skyctewh.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\slgkdcgc]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="slgkdcgc.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uhhccwsc]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="uhhccwsc.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wgabvwci]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="wgabvwci.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wipixspg]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="wipixspg.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ygevlqqq]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="ygevlqqq.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"
  • 0

#18
Daemon
Posted 28 November 2006 - 01:30 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
I'll just check if those files are being regenerated or if it's orphan O20's we are dealing with.

Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below (don't copy the word "CODE in the box header, just the box contents starting at Files to delete) and paste it in the box that opens:

WARNING: This script is not a general fix. If you are not this user, running this script could damage your system

Files to delete:
C:\WINNT\SYSTEM32\aqdywclx.dll
C:\WINNT\SYSTEM32\biyvkfcn.dll
C:\WINNT\SYSTEM32\elyutudy.dll
C:\WINNT\SYSTEM32\gkargbkc.dll
C:\WINNT\SYSTEM32\iwukhwmn.dll
C:\WINNT\SYSTEM32\kyjrhyoi.dll
C:\WINNT\SYSTEM32\lkcdmefe.dll
C:\WINNT\SYSTEM32\mcetijni.dll
C:\WINNT\SYSTEM32\mwssallj.dll
C:\WINNT\SYSTEM32\njlrmjqn.dll
C:\WINNT\SYSTEM32\skyctewh.dll
C:\WINNT\SYSTEM32\slgkdcgc.dll
C:\WINNT\SYSTEM32\uhhccwsc.dll
C:\WINNT\SYSTEM32\wgabvwci.dll
C:\WINNT\SYSTEM32\wipixspg.dll
C:\WINNT\SYSTEM32\ygevlqqq.dll

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it manually.

Please post a new HijackThis log and the log file from Avenger at C:\avenger.txt
  • 0

#19
anita1973
Posted 28 November 2006 - 09:23 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here's the new avenger file results:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\quqjhhks

*******************

Script file located at: \??\C:\WINNT\afpkoxtn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\SYSTEM32\aqdywclx.dll deleted successfully.
File C:\WINNT\SYSTEM32\biyvkfcn.dll deleted successfully.
File C:\WINNT\SYSTEM32\elyutudy.dll deleted successfully.
File C:\WINNT\SYSTEM32\gkargbkc.dll deleted successfully.
File C:\WINNT\SYSTEM32\iwukhwmn.dll deleted successfully.
File C:\WINNT\SYSTEM32\kyjrhyoi.dll deleted successfully.
File C:\WINNT\SYSTEM32\lkcdmefe.dll deleted successfully.
File C:\WINNT\SYSTEM32\mcetijni.dll deleted successfully.
File C:\WINNT\SYSTEM32\mwssallj.dll deleted successfully.
File C:\WINNT\SYSTEM32\njlrmjqn.dll deleted successfully.
File C:\WINNT\SYSTEM32\skyctewh.dll deleted successfully.
File C:\WINNT\SYSTEM32\slgkdcgc.dll deleted successfully.
File C:\WINNT\SYSTEM32\uhhccwsc.dll deleted successfully.
File C:\WINNT\SYSTEM32\wgabvwci.dll deleted successfully.
File C:\WINNT\SYSTEM32\wipixspg.dll deleted successfully.
File C:\WINNT\SYSTEM32\ygevlqqq.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Here's the new hijackthis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 9:44:01 PM, on 11/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
  • 0

#20
Daemon
Posted 29 November 2006 - 12:20 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... something is putting them back in. I don't know whether is being done inadvertently by your protection programs or if there's hidden malware.

Download and save blacklight to your desktop. Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones. Copy and paste the log it generated in your next reply.

Also, click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report as well.
  • 0

#21
anita1973
Posted 29 November 2006 - 12:17 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Blacklight scans results:

11/29/06 11:19:48 [Info]: BlackLight Engine 1.0.47 initialized
11/29/06 11:19:48 [Info]: OS: 5.0 build 2195 (Service Pack 4)
11/29/06 11:19:48 [Note]: 7019 4
11/29/06 11:19:48 [Note]: 7005 0
11/29/06 11:19:57 [Note]: 7006 0
11/29/06 11:19:57 [Note]: 7011 3376
11/29/06 11:19:57 [Note]: 7026 0
11/29/06 11:19:58 [Note]: 7026 0
11/29/06 11:20:11 [Note]: FSRAW library version 1.7.1020
11/29/06 11:25:51 [Note]: 2000 1012
11/29/06 11:27:14 [Note]: 7007 0


ActiveScan report: (this is a cool program!) :whistling:


Incident Status Location

Adware:adware/cws.aboutblank Not disinfected c:\winnt\system32\crhz32.dll
Adware:adware/searchaid Not disinfected c:\winnt\system32\sdkjy32.exe
Spyware:spyware/smitfraud Not disinfected c:\winnt\system32\wp.bmp
Dialer:dialer.baj Not disinfected c:\eied_s7.cab
Adware:adware/antivirus-gold Not disinfected c:\winnt\screen.html
Spyware:spyware/virtumonde Not disinfected Windows Registry
Possible Virus. Not disinfected C:\!KillBox\biyvkfcn.dll
Possible Virus. Not disinfected C:\!KillBox\bkkqnwut.dll
Virus:Trj/Agent.AYW Disinfected C:\!KillBox\dekusemk.dll
Possible Virus. Not disinfected C:\!KillBox\elyutudy.dll
Possible Virus. Not disinfected C:\!KillBox\gkargbkc.dll
Possible Virus. Not disinfected C:\!KillBox\iwukhwmn.dll
Possible Virus. Not disinfected C:\!KillBox\kyjrhyoi.dll
Possible Virus. Not disinfected C:\!KillBox\lkcdmefe.dll
Possible Virus. Not disinfected C:\!KillBox\mcetijni.dll
Possible Virus. Not disinfected C:\!KillBox\mwssallj.dll
Possible Virus. Not disinfected C:\!KillBox\njlrmjqn.dll
Possible Virus. Not disinfected C:\!KillBox\skyctewh.dll
Possible Virus. Not disinfected C:\!KillBox\slgkdcgc.dll
Possible Virus. Not disinfected C:\!KillBox\uhhccwsc.dll
Possible Virus. Not disinfected C:\!KillBox\wgabvwci.dll
Possible Virus. Not disinfected C:\!KillBox\wipixspg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ws_3s32.dll
Possible Virus. Not disinfected C:\!KillBox\ygevlqqq.dll
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/biyvkfcn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/elyutudy.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/gkargbkc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/iwukhwmn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/kyjrhyoi.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/lkcdmefe.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/mcetijni.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/mwssallj.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/njlrmjqn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/skyctewh.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/slgkdcgc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/uhhccwsc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/wgabvwci.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/wipixspg.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/ws_3s32.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/ygevlqqq.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/biyvkfcn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/elyutudy.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/gkargbkc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/iwukhwmn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/kyjrhyoi.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/lkcdmefe.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/mcetijni.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/mwssallj.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/njlrmjqn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/skyctewh.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/slgkdcgc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/uhhccwsc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/wgabvwci.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/wipixspg.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/ygevlqqq.dll]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@did-it[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/SpySheriff Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\HijackThis\backups\backup-20061125-181723-496.dll
Virus:Trojan Horse.AP3 Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\98.tmp
Virus:Trojan Horse.AP3 Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\99.tmp
Adware:Adware/Puper Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frA776
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\biyvkfcn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\bkkqnwut.dll.Quarantined
Virus:Trj/Agent.AYW Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\dekusemk.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\elyutudy.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\gkargbkc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\iwukhwmn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\kyjrhyoi.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\lkcdmefe.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\mcetijni.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\mwssallj.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\njlrmjqn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\skyctewh.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\slgkdcgc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\uhhccwsc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\wgabvwci.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\wipixspg.dll.Quarantined
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ws_3s32.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ygevlqqq.dll.Quarantined
Spyware:Cookie/Ccbill Not disinfected C:\WINNT\Cookies\administrator@ccbill[1].txt
Spyware:Cookie/Go Not disinfected C:\WINNT\Cookies\administrator@go[2].txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_animrw.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_beumml.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_bqcgse.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_cbenhg.txt
Virus:Bck/Haxdoor.H Disinfected C:\WINNT\n_ccnjab.dat
Virus:Bck/Haxdoor.H Disinfected C:\WINNT\n_chlcfe.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_cqxcwr.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_cznuqy.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_dcdsct.txt
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_dndbqf.txt
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_dqsywl.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_dvkhcj.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_easyzz.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ebovcv.dat
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_eetdsi.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_eiohui.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_eoevap.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_fafsmg.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_gagcfo.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_gdlxow.dat
Adware:Adware/Howprotect Not disinfected C:\WINNT\n_givpav.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_gmtbnk.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_gqshjx.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_gtqguz.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_hcrltf.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_hejmtq.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_hkukdy.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_iihrxk.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_iufmyc.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_iwfpvn.log
Possible Virus. Not disinfected C:\WINNT\n_jaxana.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_jnmalp.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_kdyuya.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_lbapff.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_llvnvn.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_lmmbhq.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ltokry.log
Adware:Adware/Howprotect Not disinfected C:\WINNT\n_mamqti.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_mcunap.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_mcwray.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_natvem.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_neiywf.dat
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_nkonnq.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_npqbtg.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_nvesdu.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_nzbumx.txt
Virus:Bck/Haxdoor.H Disinfected C:\WINNT\n_nzcigk.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_oganqg.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_omnszl.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_oqcdro.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ovupug.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ptkdvx.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ptohhf.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_pzwurd.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_qdjmov.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_rdyfyt.dat
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_rhdccq.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_rmhsxc.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_rwykix.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_sgppuz.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_sioolm.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_sjoiij.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_stgvdt.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_tjksie.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_ujpuoj.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_utorij.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_vawssf.txt
Possible Virus. Not disinfected C:\WINNT\n_vhrkxd.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_vslcwq.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_vzgxqp.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_wbissc.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_wsgmuq.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_xbrfon.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_xldufe.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_xpojjf.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_xpophd.log
Adware:Adware/Howprotect Not disinfected C:\WINNT\n_yeaqat.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_yioron.dat
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_youdei.log
  • 0

#22
Daemon
Posted 29 November 2006 - 12:26 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmmm...

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Please do not run any other options until you are asked to do so.
  • 0

#23
anita1973
Posted 29 November 2006 - 10:32 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
:whistling: OK, here's the scan... it sure didn't take long, only a few seconds:

SmitFraudFix v2.125

Scan done at 22:47:59.93, Wed 11/29/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\d3??.dll FOUND !
C:\WINNT\screen.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\wp.bmp FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

HKLM\SOFTWARE\SHUDDERLTD FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="Security info v3"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#24
anita1973
Posted 29 November 2006 - 10:38 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Uh, I realized I didn't unzip the smit folder to the desktop so I redid it in case that did make a difference. :whistling: Here's that scan:

SmitFraudFix v2.125

Scan done at 22:56:42.63, Wed 11/29/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\d3??.dll FOUND !
C:\WINNT\screen.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\wp.bmp FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

HKLM\SOFTWARE\SHUDDERLTD FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="Security info v3"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#25
Daemon
Posted 30 November 2006 - 01:25 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Please post the new rapport.txt log along with a new HijackThis Log in your next reply.
  • 0

Advertisements

#26
anita1973
Posted 01 December 2006 - 12:07 AM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Rapport scan log:

SmitFraudFix v2.125

Scan done at 23:58:28.33, Thu 11/30/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\d3??.dll Deleted
C:\WINNT\screen.html Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\wp.bmp Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

HKLM\SOFTWARE\SHUDDERLTD Deleted

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



HijackThis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:52 AM, on 12/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
  • 0

#27
Daemon
Posted 01 December 2006 - 01:17 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK let's clean up what Panda found. Please double-click Killbox.exe to run it. Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\winnt\system32\crhz32.dll
    c:\winnt\system32\sdkjy32.exe
    c:\winnt\system32\wp.bmp
    c:\eied_s7.cab
    c:\winnt\screen.html
    C:\Documents and Settings\Administrator\Local Settings\Temp\98.tmp
    C:\Documents and Settings\Administrator\Local Settings\Temp\99.tmp
    C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frA776
    C:\WINNT\n_animrw.log
    C:\WINNT\n_beumml.txt
    C:\WINNT\n_bqcgse.txt
    C:\WINNT\n_cbenhg.txt
    C:\WINNT\n_cqxcwr.log
    C:\WINNT\n_cznuqy.txt
    C:\WINNT\n_dcdsct.txt
    C:\WINNT\n_dndbqf.txt
    C:\WINNT\n_dqsywl.log
    C:\WINNT\n_dvkhcj.dat
    C:\WINNT\n_easyzz.dat
    C:\WINNT\n_ebovcv.dat
    C:\WINNT\n_eetdsi.dat
    C:\WINNT\n_eiohui.txt
    C:\WINNT\n_eoevap.log
    C:\WINNT\n_fafsmg.txt
    C:\WINNT\n_gagcfo.txt
    C:\WINNT\n_gdlxow.dat
    C:\WINNT\n_givpav.dat
    C:\WINNT\n_gmtbnk.dat
    C:\WINNT\n_gqshjx.txt
    C:\WINNT\n_gtqguz.dat
    C:\WINNT\n_hcrltf.dat
    C:\WINNT\n_hejmtq.txt
    C:\WINNT\n_hkukdy.txt
    C:\WINNT\n_iihrxk.txt
    C:\WINNT\n_iufmyc.txt
    C:\WINNT\n_iwfpvn.log
    C:\WINNT\n_jaxana.txt
    C:\WINNT\n_jnmalp.dat
    C:\WINNT\n_kdyuya.dat
    C:\WINNT\n_lbapff.dat
    C:\WINNT\n_llvnvn.dat
    C:\WINNT\n_lmmbhq.dat
    C:\WINNT\n_ltokry.log
    C:\WINNT\n_mamqti.log
    C:\WINNT\n_mcunap.log
    C:\WINNT\n_mcwray.log
    C:\WINNT\n_natvem.log
    C:\WINNT\n_neiywf.dat
    C:\WINNT\n_nkonnq.log
    C:\WINNT\n_npqbtg.txt
    C:\WINNT\n_nvesdu.dat
    C:\WINNT\n_nzbumx.txt
    C:\WINNT\n_nzcigk.txt
    C:\WINNT\n_oganqg.txt
    C:\WINNT\n_omnszl.log
    C:\WINNT\n_oqcdro.dat
    C:\WINNT\n_ovupug.dat
    C:\WINNT\n_ptkdvx.txt
    C:\WINNT\n_ptohhf.log
    C:\WINNT\n_pzwurd.dat
    C:\WINNT\n_qdjmov.dat
    C:\WINNT\n_rdyfyt.dat
    C:\WINNT\n_rhdccq.txt
    C:\WINNT\n_rmhsxc.txt
    C:\WINNT\n_rwykix.txt
    C:\WINNT\n_sgppuz.dat
    C:\WINNT\n_sioolm.log
    C:\WINNT\n_sjoiij.txt
    C:\WINNT\n_stgvdt.txt
    C:\WINNT\n_tjksie.log
    C:\WINNT\n_ujpuoj.dat
    C:\WINNT\n_utorij.txt
    C:\WINNT\n_vawssf.txt
    C:\WINNT\n_vhrkxd.log
    C:\WINNT\n_vslcwq.txt
    C:\WINNT\n_vzgxqp.dat
    C:\WINNT\n_wbissc.dat
    C:\WINNT\n_wsgmuq.log
    C:\WINNT\n_xbrfon.dat
    C:\WINNT\n_xldufe.txt
    C:\WINNT\n_xpojjf.txt
    C:\WINNT\n_xpophd.log
    C:\WINNT\n_yeaqat.txt
    C:\WINNT\n_yioron.dat
    C:\WINNT\n_youdei.log

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.
If after a while, your computer does not restart automatically, please restart it manually.

You said in your first post that you had an outdated antivirus - is that still the case with Command? If so uninstall it and we will put a free AV on there for you.

Do another Panda scan and post it's log.

Edited by Daemon, 01 December 2006 - 01:20 AM.

  • 0

#28
anita1973
Posted 03 December 2006 - 12:34 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
This computer did have an outdated McAfee antivirus on it but I uninstalled it. I have a site license for the Command program because this computer is going to be used in the genealogy library that I am the director of. I keep the virus definitions updated.

I also have a site license for win 2000. I didn't think that removal of the malware would be so involved or I would have just wiped the drive and started from scratch. I still wouldn't mind doing that but you have worked so hard on the malware that I feel bad. I know I would loose all the other programs but I don't mind since I really don't have a legal right to them anyway. I don't have their installations disks or anything.

If you wish to call it quits and have me wipe the drive, I will. If you want to try some more, that's OK too. I have learned so much from all the things you have been having me do and I have enjoyed that experience. I would like to learn all that stuff.

Anyway, here is the last Panda scan:


Incident Status Location

Adware:adware/searchaid Not disinfected c:\winnt\system32\sdkqt32.exe
Spyware:spyware/virtumonde Not disinfected Windows Registry
Possible Virus. Not disinfected C:\!KillBox\biyvkfcn.dll
Possible Virus. Not disinfected C:\!KillBox\bkkqnwut.dll
Adware:Adware/MediaTickets Not disinfected C:\!KillBox\eied_s7.cab[eied_s7_c_26.exe]
Adware:Adware/MediaTickets Not disinfected C:\!KillBox\eied_s7.cab[eied.inf]
Possible Virus. Not disinfected C:\!KillBox\elyutudy.dll
Possible Virus. Not disinfected C:\!KillBox\gkargbkc.dll
Possible Virus. Not disinfected C:\!KillBox\iwukhwmn.dll
Possible Virus. Not disinfected C:\!KillBox\kyjrhyoi.dll
Possible Virus. Not disinfected C:\!KillBox\lkcdmefe.dll
Possible Virus. Not disinfected C:\!KillBox\mcetijni.dll
Possible Virus. Not disinfected C:\!KillBox\mwssallj.dll
Possible Virus. Not disinfected C:\!KillBox\njlrmjqn.dll
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_animrw.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_beumml.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_bqcgse.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_cbenhg.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_cqxcwr.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_cznuqy.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_dcdsct.txt
Adware:Adware/SearchExe Not disinfected C:\!KillBox\n_dndbqf.txt
Adware:Adware/SearchExe Not disinfected C:\!KillBox\n_dqsywl.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_dvkhcj.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_easyzz.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ebovcv.dat
Adware:Adware/SearchExe Not disinfected C:\!KillBox\n_eetdsi.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_eiohui.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_eoevap.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_fafsmg.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_gagcfo.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_gdlxow.dat
Adware:Adware/Howprotect Not disinfected C:\!KillBox\n_givpav.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_gmtbnk.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_gqshjx.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_gtqguz.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_hcrltf.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_hejmtq.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_hkukdy.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_iihrxk.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_iufmyc.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_iwfpvn.log
Possible Virus. Not disinfected C:\!KillBox\n_jaxana.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_jnmalp.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_kdyuya.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_lbapff.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_llvnvn.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_lmmbhq.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ltokry.log
Adware:Adware/Howprotect Not disinfected C:\!KillBox\n_mamqti.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_mcunap.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_mcwray.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_natvem.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_neiywf.dat
Adware:Adware/SearchExe Not disinfected C:\!KillBox\n_nkonnq.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_npqbtg.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_nvesdu.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_nzbumx.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_oganqg.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_omnszl.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_oqcdro.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ovupug.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ptkdvx.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ptohhf.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_pzwurd.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_qdjmov.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_rdyfyt.dat
Adware:Adware/SearchExe Not disinfected C:\!KillBox\n_rhdccq.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_rmhsxc.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_rwykix.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_sgppuz.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_sioolm.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_sjoiij.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_stgvdt.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_tjksie.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_ujpuoj.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_utorij.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_vawssf.txt
Possible Virus. Not disinfected C:\!KillBox\n_vhrkxd.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_vslcwq.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_vzgxqp.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_wbissc.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_wsgmuq.log
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_xbrfon.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_xldufe.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_xpojjf.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_xpophd.log
Adware:Adware/Howprotect Not disinfected C:\!KillBox\n_yeaqat.txt
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_yioron.dat
Adware:Adware/SearchAid Not disinfected C:\!KillBox\n_youdei.log
Possible Virus. Not disinfected C:\!KillBox\skyctewh.dll
Possible Virus. Not disinfected C:\!KillBox\slgkdcgc.dll
Possible Virus. Not disinfected C:\!KillBox\uhhccwsc.dll
Possible Virus. Not disinfected C:\!KillBox\wgabvwci.dll
Possible Virus. Not disinfected C:\!KillBox\wipixspg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ws_3s32.dll
Possible Virus. Not disinfected C:\!KillBox\ygevlqqq.dll
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/biyvkfcn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/elyutudy.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/gkargbkc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/iwukhwmn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/kyjrhyoi.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/lkcdmefe.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/mcetijni.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/mwssallj.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/njlrmjqn.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/skyctewh.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/slgkdcgc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/uhhccwsc.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/wgabvwci.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/wipixspg.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/ws_3s32.dll]
Possible Virus. Not disinfected C:\avenger\backup-Tue 11.28.2006-21.31.37.05.zip[avenger/ygevlqqq.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/biyvkfcn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/elyutudy.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/gkargbkc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/iwukhwmn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/kyjrhyoi.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/lkcdmefe.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/mcetijni.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/mwssallj.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/njlrmjqn.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/skyctewh.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/slgkdcgc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/uhhccwsc.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/wgabvwci.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/wipixspg.dll]
Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/ygevlqqq.dll]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@did-it[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/SpySheriff Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\HijackThis\backups\backup-20061125-181723-496.dll
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\biyvkfcn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\bkkqnwut.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\elyutudy.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\gkargbkc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\iwukhwmn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\kyjrhyoi.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\lkcdmefe.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\mcetijni.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\mwssallj.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\njlrmjqn.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\skyctewh.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\slgkdcgc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\uhhccwsc.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\wgabvwci.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\wipixspg.dll.Quarantined
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ws_3s32.dll.Quarantined
Possible Virus. Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ygevlqqq.dll.Quarantined
Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Cookie/Ccbill Not disinfected C:\WINNT\Cookies\administrator@ccbill[1].txt
Spyware:Cookie/Go Not disinfected C:\WINNT\Cookies\administrator@go[2].txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_yvrwor.txt
Adware:Adware/SearchExe Not disinfected C:\WINNT\n_zauwqn.log
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_zfoatg.txt
Adware:Adware/SearchAid Not disinfected C:\WINNT\n_zgarua.dat
Adware:Adware/Antivirus-gold Not disinfected
  • 0

#29
Daemon
Posted 03 December 2006 - 01:56 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Let's keep going for now. The latest Panda scan shows new searchaid entries that have been spawned - I'd like to establish why they are being so elusive.

First we need to tidy up a bit. Delete this folder and all it's contents:

C:\!KillBox

Also delete the C:\avenger\backup folders. Then empty the Command Quarantine area from within the program.

Run a couple more scans for completeness. Could you click here to download CWShredder and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan together with a new HijackThis log.

Finally, see if this file is on your system: searchdll.dll
  • 0

#30
anita1973
Posted 03 December 2006 - 02:18 PM

anita1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Where is the command quarantine folder? I don't see that folder in the Avenger program.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP