Please help. computer has been infected! [RESOLVED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Please help. computer has been infected! [RESOLVED] Malware, spyware, and viruses

#1 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 17 May 2008 - 11:21 PM

Hello,

My computer has been infected although I have installed AVG, spyware guard, and spyware blaster. My task manager has been disabled and I can't log onto webpages. In fact, I am logged onto from another computer to post this log. Below is my log, and I'd really appreciate some help! Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:57, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrModule\QdrModule16.exe
C:\PROGRA~1\COMMON~1\AOL\112637~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\112637~1\EE\AOLServiceHost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tw.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126378612\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [BMbbbbd3d7] Rundll32.exe "C:\WINDOWS\system32\itisrkmi.dll",s
O4 - HKLM\..\Run: [b888e04b] rundll32.exe "C:\WINDOWS\system32\obmnfmww.dll",b
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 5566 bytes

#2 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 18 May 2008 - 04:19 AM

Hi midnight1223,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
Malwarebytes' Anti-Malware from Here or Here
OTScanIt.exe
LSPFix


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [BMbbbbd3d7] Rundll32.exe "C:\WINDOWS\system32\itisrkmi.dll",s
O4 - HKLM\..\Run: [b888e04b] rundll32.exe "C:\WINDOWS\system32\obmnfmww.dll",b
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.



Remove bad applications:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    webHancer
    Please take note of any other programs that you don't recognise in that list, and include them in your next response



Run Malwarebytes' Anti-Malware:
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Save the report as C:\mbam.txt

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Install OTScanIt:
  • Double-click on OTScanIt.exe to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Make sure that the Non Microsoft option is clicked in the following Headings:

    • Processes
    • Services
    • Drivers
    • Registry

  • Click Yes under Rootkit scan
  • Make sure that you tick these in the Additional Scans box

    • Reg - BotCheck
    • Reg - Security Settings

  • Now click the Run Scan button on the toolbar.
  • The program will be scanning large amounts of data so depending on your system it could take a while to complete.
  • When the scan is done Notepad will open with the report file loaded in it.
  • Save the file in the new OTScanIt folder as Scan1.txt

Mostly, these logs are too large to post normally. Use the Reply button, scroll down to the Attachments section and attach the Notepad file here.


Use this step only if you lose your connection to the Internet.
Run a check for a malicious .DLL file which could be disrupting the LSP chain on your computer.
  • Run the LSPFix.exe on your Desktop.
  • Allow LSPFix to remove the defaults it chooses.
  • Do NOT check the I know what I'm doing box.
  • Click Finish>>, just exit the program via the red X at the top of the window


Paste the contents of the C:\mbam.txt file & attach the Scan1.txt file

Cheers,

sage5

#3 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 18 May 2008 - 04:05 PM

Hi Sage5,

Below you'll find my logs you asked for. I tried again today and the Internet was fine, so I didn't run LSPFix after all. Thank you for helping me.

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Quick Scan
Objects scanned: 38275
Time elapsed: 15 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 8
Registry Keys Infected: 27
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 49

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Unloaded module successfully.
c:\WINDOWS\system32\sockins32.dll (Trojan.BHO) -> Unloaded module successfully.
c:\program files\webhancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Unloaded module successfully.
C:\WINDOWS\system32\byXOhHWP.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\obmnfmww.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.SearchAid) -> Unloaded module successfully.
C:\WINDOWS\system32\jkkIBSjk.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nnnllmjg.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fc2b80f-8f23-4fdb-a695-3f42478e9fd8} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6fc2b80f-8f23-4fdb-a695-3f42478e9fd8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a7cbc21-2f73-4a71-8f8c-40a4f0b981ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba449907-66f7-4c16-8ccf-1de3aaf7d3af} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnllmjg (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbbbbd3d7 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxohhwp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxohhwp -> Delete on reboot.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Delete on reboot.
c:\WINDOWS\system32\sockins32.dll (Trojan.BHO) -> Delete on reboot.
c:\program files\webhancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Delete on reboot.
C:\WINDOWS\system32\byXOhHWP.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\PWHhOXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PWHhOXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPfDtR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RtDfPXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RtDfPXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\obmnfmww.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wwmfnmbo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MDATKLG3\msiexec[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ODQ3456J\syswcc32[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dictys.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack16.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo1.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo2.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo3.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo4.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo5.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo6.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif3.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iaulokba.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkIBSjk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnllmjg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifEttsP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Attached File(s)


#4 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 18 May 2008 - 04:59 PM

Hi midnight1223,


Run the Fix:
  • Open the OTScanIT folder on the Desktop
  • Run OTScanIt.exe.
  • Copy all the text in the Code box below, and Paste it into the pane under the GREEN bar, titled Paste fix here and then click the green Run Fix button.


    [Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> b888e04b -> %SystemRoot%\system32\ujjcdvxq.dll [rundll32.exe "C:\WINDOWS\system32\ujjcdvxq.dll",b]
< Protocol Filters [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
YY -> text/html:{07851C6A-1C43-41d9-8319-BC89154A8C00}[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\RcvSystem\httpdchk.dll[Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 30 days]
NY -> byXOhHWP.dll -> %SystemRoot%\System32\byXOhHWP.dll
NY -> iaulokba.dll -> %SystemRoot%\System32\iaulokba.dll
NY -> itisrkmi.dll -> %SystemRoot%\System32\itisrkmi.dll
NY -> jkkIBSjk.dll -> %SystemRoot%\System32\jkkIBSjk.dll
NY -> kbnexnnp.dll -> %SystemRoot%\System32\kbnexnnp.dll
NY -> nnnllmjg.dll -> %SystemRoot%\System32\nnnllmjg.dll
NY -> obmnfmww.dll -> %SystemRoot%\System32\obmnfmww.dll
NY -> PWHhOXyb.ini -> %SystemRoot%\System32\PWHhOXyb.ini
NY -> PWHhOXyb.ini2 -> %SystemRoot%\System32\PWHhOXyb.ini2
NY -> qxvdcjju.ini -> %SystemRoot%\System32\qxvdcjju.ini
NY -> sccruwpx.dll -> %SystemRoot%\System32\sccruwpx.dll
NY -> sockins32.dll -> %SystemRoot%\System32\sockins32.dll
NY -> ujjcdvxq.dll -> %SystemRoot%\System32\ujjcdvxq.dll
NY -> wtiwdvex.dll -> %SystemRoot%\System32\wtiwdvex.dll
NY -> yemklrjk.dll -> %SystemRoot%\System32\yemklrjk.dll
NY -> BMbbbbd3d7.xml -> %SystemRoot%\BMbbbbd3d7.xml
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[Files/Folders - Modified Within 30 days]
NY -> byXOhHWP.dll -> %SystemRoot%\System32\byXOhHWP.dll
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> iaulokba.dll -> %SystemRoot%\System32\iaulokba.dll
NY -> itisrkmi.dll -> %SystemRoot%\System32\itisrkmi.dll
NY -> jkkIBSjk.dll -> %SystemRoot%\System32\jkkIBSjk.dll
NY -> kbnexnnp.dll -> %SystemRoot%\System32\kbnexnnp.dll
NY -> nnnllmjg.dll -> %SystemRoot%\System32\nnnllmjg.dll
NY -> obmnfmww.dll -> %SystemRoot%\System32\obmnfmww.dll
NY -> PWHhOXyb.ini -> %SystemRoot%\System32\PWHhOXyb.ini
NY -> PWHhOXyb.ini2 -> %SystemRoot%\System32\PWHhOXyb.ini2
NY -> qxvdcjju.ini -> %SystemRoot%\System32\qxvdcjju.ini
NY -> sccruwpx.dll -> %SystemRoot%\System32\sccruwpx.dll
NY -> sockins32.dll -> %SystemRoot%\System32\sockins32.dll
NY -> ujjcdvxq.dll -> %SystemRoot%\System32\ujjcdvxq.dll
NY -> @Alternate Data Stream - 164 bytes -> %SystemRoot%\System32\wpa.dbl:KAVICHS
NY -> wtiwdvex.dll -> %SystemRoot%\System32\wtiwdvex.dll
NY -> yemklrjk.dll -> %SystemRoot%\System32\yemklrjk.dll
NY -> BMbbbbd3d7.xml -> %SystemRoot%\BMbbbbd3d7.xml
NY -> pskt.ini -> %SystemRoot%\pskt.ini
NY -> @Alternate Data Stream - 196 bytes -> %SystemRoot%\win.ini:KAVICHS
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> rcvsetup.exe -> C:\Documents and Settings\Owner\Local Settings\Temp\rcvsetup.exe
NY -> 80 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY -> uninst.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\uninst.dll
NY -> 80 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
NY -> AVRES_OPTRF_LiveUpdate.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\AVRES_OPTRF_LiveUpdate.dat
NY -> symcprop.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\symcprop.dat
NY -> SymSCLiveUpdate.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\SymSCLiveUpdate.dat
NY -> 80 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]



  • The fix should only take a very short time.
  • When the fix is done, click the OK button in the message box.
  • Notepad will open with a log of actions taken during the fix.
    This file is saved in the Moved Files folder and is named in date_time format (mmddyyyy_hhmmss.log format, so e.g. 04012008_082852.log)
  • I need you to Post the text from that file back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#5 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 19 May 2008 - 01:49 PM

Hi sage5,

Here's the log:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\b888e04b deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ujjcdvxq.dll
C:\WINDOWS\system32\ujjcdvxq.dll NOT unregistered.
C:\WINDOWS\system32\ujjcdvxq.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07851C6A-1C43-41d9-8319-BC89154A8C00}\ deleted successfully.
C:\Program Files\RcvSystem\httpdchk.dll unregistered successfully.
C:\Program Files\RcvSystem\httpdchk.dll moved successfully.
[Files/Folders - Created Within 30 days]
LoadLibrary failed for C:\WINDOWS\System32\byXOhHWP.dll
C:\WINDOWS\System32\byXOhHWP.dll NOT unregistered.
C:\WINDOWS\System32\byXOhHWP.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\iaulokba.dll
C:\WINDOWS\System32\iaulokba.dll NOT unregistered.
C:\WINDOWS\System32\iaulokba.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\itisrkmi.dll
C:\WINDOWS\System32\itisrkmi.dll NOT unregistered.
C:\WINDOWS\System32\itisrkmi.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\jkkIBSjk.dll
C:\WINDOWS\System32\jkkIBSjk.dll NOT unregistered.
C:\WINDOWS\System32\jkkIBSjk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kbnexnnp.dll
C:\WINDOWS\System32\kbnexnnp.dll NOT unregistered.
C:\WINDOWS\System32\kbnexnnp.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\nnnllmjg.dll
C:\WINDOWS\System32\nnnllmjg.dll NOT unregistered.
C:\WINDOWS\System32\nnnllmjg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\obmnfmww.dll
C:\WINDOWS\System32\obmnfmww.dll NOT unregistered.
C:\WINDOWS\System32\obmnfmww.dll moved successfully.
C:\WINDOWS\System32\PWHhOXyb.ini moved successfully.
C:\WINDOWS\System32\PWHhOXyb.ini2 moved successfully.
C:\WINDOWS\System32\qxvdcjju.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\sccruwpx.dll
C:\WINDOWS\System32\sccruwpx.dll NOT unregistered.
C:\WINDOWS\System32\sccruwpx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\sockins32.dll
C:\WINDOWS\System32\sockins32.dll NOT unregistered.
C:\WINDOWS\System32\sockins32.dll moved successfully.
File C:\WINDOWS\System32\ujjcdvxq.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wtiwdvex.dll
C:\WINDOWS\System32\wtiwdvex.dll NOT unregistered.
C:\WINDOWS\System32\wtiwdvex.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yemklrjk.dll
C:\WINDOWS\System32\yemklrjk.dll NOT unregistered.
C:\WINDOWS\System32\yemklrjk.dll moved successfully.
C:\WINDOWS\BMbbbbd3d7.xml moved successfully.
C:\WINDOWS\pskt.ini moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\byXOhHWP.dll not found!
File C:\WINDOWS\System32\iaulokba.dll not found!
File C:\WINDOWS\System32\itisrkmi.dll not found!
File C:\WINDOWS\System32\jkkIBSjk.dll not found!
File C:\WINDOWS\System32\kbnexnnp.dll not found!
File C:\WINDOWS\System32\nnnllmjg.dll not found!
File C:\WINDOWS\System32\obmnfmww.dll not found!
File C:\WINDOWS\System32\PWHhOXyb.ini not found!
File C:\WINDOWS\System32\PWHhOXyb.ini2 not found!
File C:\WINDOWS\System32\qxvdcjju.ini not found!
File C:\WINDOWS\System32\sccruwpx.dll not found!
File C:\WINDOWS\System32\sockins32.dll not found!
File C:\WINDOWS\System32\ujjcdvxq.dll not found!
ADS C:\WINDOWS\System32\wpa.dbl:KAVICHS deleted successfully.
File C:\WINDOWS\System32\wtiwdvex.dll not found!
File C:\WINDOWS\System32\yemklrjk.dll not found!
File C:\WINDOWS\BMbbbbd3d7.xml not found!
File C:\WINDOWS\pskt.ini not found!
ADS C:\WINDOWS\win.ini:KAVICHS deleted successfully.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\rcvsetup.exe moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\issE0.tmp folder deleted successfully.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF91B3.tmp scheduled to be deleted on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\~nsu.tmp folder deleted successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Owner\Local Settings\Temp\uninst.dll
C:\Documents and Settings\Owner\Local Settings\Temp\uninst.dll NOT unregistered.
C:\Documents and Settings\Owner\Local Settings\Temp\uninst.dll moved successfully.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF91B3.tmp scheduled to be deleted on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\AVRES_OPTRF_LiveUpdate.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\symcprop.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\SymSCLiveUpdate.dat moved successfully.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF91B3.tmp scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF91B3.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.0 fix logfile created on 05192008_154513

Files moved on Reboot...
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6B.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF91B3.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

#6 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 20 May 2008 - 05:16 AM

Hi midnight1223,

You don't appear to be running a 3rd party firewall. These are essential to protect from trojans, viruses, spyware etc.

You should check out:- Comodo Firewall Pro or Sunbelt Personal Firewall

User manuals are available for both:
Comodo's manual is built in and accessable from the Help Menu.

Sunbelt Manual Here

Both are simple to install & free to use.
Please install only 1

I need you to post me a fresh HijackThis log to confirm correct installation of the Firewall.

Cheers,

sage5

#7 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 21 May 2008 - 08:07 PM

Hi,

I've installed the Sunbelt firewall. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07, on 2008-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\PROGRA~1\COMMON~1\AOL\112637~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\112637~1\EE\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tw.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126378612\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 5009 bytes

#8 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 22 May 2008 - 12:15 AM

Hi <insert name>

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTScanIt:
  • Please double-click OTScanIt.exe to run it.
  • Click the Clean up button at the top
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.



To Clear Restore points, please do the following:
  • Go to Start > Settings > Control Panel.
  • Double-click the System icon.
      NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

  • Click the System Restore tab.
  • Put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the Troubleshooting tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.


Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
AVG Anti-Spyware is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5

#9 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 22 May 2008 - 03:54 PM

Thank you for your help sage5! I really appreciate your time and efforts. :)

However, my task manager is still disabled. Could you help me with reactivating it again? Thanks!

#10 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 25 May 2008 - 06:29 AM

My apologies midnight1223,
I didn't realise that was still a problem.

Fix the TaskManager with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


That should do the trick, but tell me if you are having any other issues.

Cheers,

sage5

#11 midnight1223

  • Group: Member
  • Posts: 6
  • Joined: 17-May 08

Posted 26 May 2008 - 11:00 PM

Thank you! It's working now! :)

#12 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 27 May 2008 - 07:58 AM

You are very welcome midnight1223 :)

All the best,

sage5

#13 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 27 May 2008 - 07:58 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1