unable to remove spyware/trojans please help

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

unable to remove spyware/trojans please help, clicker.fr generic.xks generic.xfv

Options

darksource View Member Profile	Jul 27 2006, 03:31 AM Post #1
New Member Posts: 7 OS: xp	Hello, I'm having difficulty in removing some spyware/trojans from my computer. I have AVG and it keeps notifying me that my computer is infected with the following: clicker.fr, generic.xks, and generic.xfv I'm unable to heal/move them to the vault and haven't been able to get rid of them with any other program. I've ran CWShredder, Ad-aware, clean up, and Ewido... and I've read the "you must read this before posting" thread. please, any help would be much appreciated... these thinsg are really messing up my computer. Logfile of HijackThis v1.99.1 Scan saved at 2:29:27 AM, on 7/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\gearsec.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Elliott\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [dmuxb.exe] C:\WINDOWS\system32\dmuxb.exe O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe O4 - HKLM\..\Run: [cbdye.exe] C:\WINDOWS\system32\cbdye.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{0F91695C-126F-4129-B4F5-D4AA77F3045D}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{3B15CD15-1B9F-4DC3-BC51-0ECF9DD29292}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A5FA5F-2244-4D70-ABFD-7F8951A0E7A7}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{F451812D-B508-4348-9880-FCA22A69D7B9}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 O17 - HKLM\System\CS2\Services\Tcpip\..\{0F5A8814-BE8E-44A2-9F95-C08A8C8773EA}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Flrman1 View Member Profile	Jul 28 2006, 11:19 PM Post #3
Malware Assassin Posts: 6,596 OS: XP Home, XP Pro, Vista	Hi darksource Welcome to GTG! First you need to download the following tools and have them ready to run. Do not** run any of them until instructed to do so: * Click here to download Fixwareout.exe and save it to your desktop. * Click Here and download Killbox and save it to your desktop. * Click here for info on how to boot to safe mode if you don't already know how. * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to. Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make. Open Spysweeper and click on the "Options" button on the left. Click on the "Program Options" tab and uncheck "Load at windows startup". On the left click on the "Shields" button. Click the "Internet Explorer" tab and then uncheck everything there. Click on the "Startup Programs" tab and uncheck "Startup Shield" Click on the "Browser Add-ons" tab and uncheck "Browser Helper Object (BHO) Shield" Exit Spysweeper. Leave them disabled until we are finished here. Important!** Make sure you remember to re-enable these options when we are finished. * Run Fixwareout: Doubleclick on the Fixwareout.exe file to run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal. When your system reboots, a text file will open called report.txt. Close the report.txt file. It has been saved already. Open Hijack This and click on the "Do a System Scan Only" button. In Hijack This, put a check by the following entries: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [dmuxb.exe] C:\WINDOWS\system32\dmuxb.exe O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{0F91695C-126F-4129-B4F5-D4AA77F3045D}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{3B15CD15-1B9F-4DC3-BC51-0ECF9DD29292}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A5FA5F-2244-4D70-ABFD-7F8951A0E7A7}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{F451812D-B508-4348-9880-FCA22A69D7B9}: NameServer = 85.255.114.11,85.255.112.234 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234 After checking each of those entries in Hijack This, click the "Fix Checked" button then exit Hijack This. * Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step . CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed. Double-click the Network Connections icon Right-click the Local Area Connection icon and select Properties. Hilight Internet Protocol (TCP/IP) and click the Properties button. Be sure Obtain DNS server address automatically is selected. OK your way out. * Go to Start > Run and type in cmd Click OK. This will open a command prompt. Type or copy and paste the following line in the command window: ipconfig /flushdns Hit Enter Exit the command window * Restart your computer into safe mode now. Perform the following steps in safe mode: * Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time: C:\WINDOWS\system32\dmuxb.exe C:\WINDOWS\system32\mdjbf.exe Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Killbox may tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any. Next in Killbox go to Tools > Delete Temp Files In the window that pops up, put a check by ALL the options there except these three: XP Prefetch Recent History Now click the Delete Selected Temp Files button. Exit the Killbox. * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. * Restart back into Windows normally now. * Run Kaspersky online virus scan here. When given the option, choose the "Extended database" for the scan. When the scan is finished, Save the results from the scan! * Go to your C drive and find the fixwareout folder. Open the Report.txt file. Copy and paste the contents of Report.txt here along with a new HiJackThis log and the results from Kaspersky scan * Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

darksource View Member Profile	Jul 29 2006, 01:33 AM Post #4
New Member Posts: 7 OS: xp	hello, thank you for the response. When doing the kaspersky scan, I didn't know what area to scan, so I just selected the first option. here is that log (followed by the fixwareout, new HJT log, and the uninstaller 'Save List'): ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, July 29, 2006 12:10:42 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 29/07/2006 Kaspersky Anti-Virus database records: 209760 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Critical Areas: C:\WINDOWS C:\DOCUME~1\Elliott\LOCALS~1\Temp\ Scan Statistics: Total number of scanned objects: 11143 Number of viruses found: 0 Number of infected objects: 0 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:06:17 Infected Object Name / Virus Name / Last Action C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd5597.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. --------------------- Fixwareout ver 1.003 Last edited 07/1/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft ® Windows Script Host Version 5.6 Random Runs removed from HKLM "dmuxb.exe"=- ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is legitimate �� Search by size and names... C:\WINDOWS\SYSTEM32\IPSEC6.EXE �� Misc files �� Checking for older varients covered by the Rem3 tool �� Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects Directory of C:\WINDOWS\system32 {A7C7A12F-1277-4DE4-940B-B984BE53F1F7}.exe {AAAC354C-A10F-4CFC-96CF-3569A7B4C0F1}.exe {107202BF-9C9C-4140-AF27-BE6CAC1B227E}.exe {C7A23916-1816-4267-9931-632AB8806C61}.exe ------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:31:01 AM, on 7/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\system32\gearsec.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Elliott\Desktop\antivirus\HijackThis.exe F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe --------------- Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Bridge 1.0 Adobe Common File Installer Adobe Help Center 1.0 Adobe Photoshop CS2 Adobe Stock Photos 1.0 ASUS WLAN Card Utilities/Driver ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver ATI HYDRAVISION AVG Free Edition BitTornado 0.3.7 CleanUp! Collectorz.com MP3 Collector Cool Edit Pro 2.0 dBpowerAMP AAC Codec dBpowerAMP FLAC Codec dBpowerAMP Music Converter dBpowerAMP Ogg Vorbis Codec DVD Decrypter (Remove Only) DVD Shrink 3.2 ewido anti-spyware 4.0 HijackThis 1.99.1 iScrobbler iTunes J2SE Runtime Environment 5.0 Update 6 Kaspersky Online Scanner Marvell Miniport Driver MaxMSP 4.5.7 Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 2.0 MixMeister Express 6 Demo Mozilla Firefox (1.5.0.5) Native Instruments Traktor DJ Studio v2.6.1.022 Nero 7 Demo Neuros Synchronization Manager OpenOffice.org 2.0 QuickTime Realtek AC'97 Audio Sony ACID 4.0f SoulSeek Client 156c Spy Sweeper Steam StyleXP (remove only) Tag&Rename 3.1.6 Trillian Update for Windows XP (KB898461) VideoLAN VLC media player 0.8.4a Viewpoint Media Player Winamp (remove only) Windows Installer 3.1 (KB893803) Windows Media Format Runtime WinRAR archiver thanks....

darksource View Member Profile	Jul 29 2006, 01:56 AM Post #5
New Member Posts: 7 OS: xp	also, just to add, the weird thing on my desktop has now just greyed out the desktop area and becomes 'highlighted' whenever I move the cursor over the desktop. when I clicked the desktop and went to 'view source' and properties, I got this: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!---- *** This file is automatically generated by Microsoft Windows *** --------><HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD> <BODY bgColor=#000000> <DIV style="BACKGROUND: url(file:///C:/Documents%20and%20Settings/Elliott/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp) no-repeat 50% 50%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 0px; HEIGHT: 1024px"></DIV><IFRAME id=0 style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 1px; HEIGHT: 968px" name=DeskMovrW marginWidth=0 marginHeight=0 src="file:///C:/WINDOWS/desktop.html" frameBorder=0 scrolling=no subscribed_url="C:\WINDOWS\desktop.html" resizeable="粶鉘檼"> </IFRAME> <OBJECT id=ActiveDesktopMover style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5" classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT> <OBJECT id=ActiveDesktopMoverW style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 1282px; POSITION: absolute; TOP: 0px; HEIGHT: 970px; container: positioned" classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>  </BODY></HTML> dunno if that helps with anything, but i figure it couldn't hurt to add.

Flrman1 View Member Profile	Jul 29 2006, 10:27 AM Post #6
Malware Assassin Posts: 6,596 OS: XP Home, XP Pro, Vista	* Click here to download smitRem.exe. Save the file to your desktop. It is a self extracting file. Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop. Do not do anything with it yet. You will run the RunThis.bat file later in safe mode. If the link to SmitRem above is not working try this one. * Click here to download ATF Cleaner by Atribune and save it to your desktop. * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to. * Go to Add/Remove programs and uninstall these: J2SE Runtime Environment 5.0 Update 6 Viewpoint Media Player * Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked" O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe * Restart your computer into safe mode now. Perform the following steps in safe mode: * Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time: C:\WINDOWS\desktop.html C:\WINDOWS\system32\mdjbf.exe C:\WINDOWS\system32\{A7C7A12F-1277-4DE4-940B-B984BE53F1F7}.exe C:\WINDOWS\system32\{AAAC354C-A10F-4CFC-96CF-3569A7B4C0F1}.exe C:\WINDOWS\system32\{107202BF-9C9C-4140-AF27-BE6CAC1B227E}.exe C:\WINDOWS\system32\{C7A23916-1816-4267-9931-632AB8806C61}.exe Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Killbox may tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any. Exit the Killbox. * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. * Run ATF Cleaner: Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages". If you see any entry there that is checked, select that entry and click the "Delete" button. Click OK then Apply and OK. * Restart back into Windows normally now. * Now go here and install the latest version of Java. * Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Click "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log.. Note: You have to use Internet Explorer to do the online scan. SmitRem creates a log file with the results of it's fix in C:\smitfiles.txt. Go to your C drive and locate the smitfiles.txt file. Copy and paste the contents of the smitfiles.txt file in your next reply here along with a new HiJackThis log and the results from BitDefender scan This post has been edited by Flrman1: Jul 29 2006, 10:27 AM

Flrman1 View Member Profile	Jul 29 2006, 10:28 AM Post #7
Malware Assassin Posts: 6,596 OS: XP Home, XP Pro, Vista	I had to edit my post. Please check it again before you proceed.

darksource

Jul 29 2006, 02:59 PM

Post #8

New Member

Posts: 7
OS: xp

I went back and did another scan with Kaspersky and selected the 'scan my computer' option this time. This is the scan result:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 29, 2006 1:54:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 209772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 123321
Number of viruses found: 2
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Elliott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\History\History.IE5\MSHist012006072920060730\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Elliott\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Elliott\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019763.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019773.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019782.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP159\A0022069.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP160\A0022431.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP162\A0023431.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP163\A0024164.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024785.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024786.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024891.exe Infected: not-a-virus:AdWare.Win32.Raze.a skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP165\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5597.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\