Help Programs Wont Work Right[RESOLVED]


Recommended Posts

I dont know what the problem is but recently I have noticed bad ram lag an I cant get ad-aware or ewido to open, installed spybot but cant open it - somehow I got ad-aware to stay open after reinstalling today, not sure how but now i cant get it open agian - when i scanned it showed some threats - rmeoved an rebooted an cant get it open agian :(

Any help would be AWESOME I'm freakin out - (also curious what makes a pc make tha tloud noise -like a fan is going 100 mph in there or something.. noticed this recently & have heard that a time or 2 in the past)

Heres my log.... Thanks so much to anyone who can help me.

Logfile of HijackThis v1.99.1

Scan saved at 3:40:14 PM, on 2/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\STOPzilla!\STOPzilla.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\STOPzilla!\SZQuarantine.exe

C:\Program Files\HijackThis.exe

O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Link to post
Share on other sites

Hello Tabbydaze.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Link to post
Share on other sites

Heres the scan , Thank you :)

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Johnston Family\Favorites\Antivirus Test Online.url

Adware:adware/bookedspace Not disinfected c:\windows\CFGMGR52.INI

Adware:adware/maxifiles Not disinfected c:\program files\common files\Download

Virus:Trj/Multidropper.BED Disinfected C:\WINDOWS\SYSTEM32\Setup8823.exe

Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\TEMP\ZLT008c1.TMP

Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Johnston Family\Local Settings\Temporary Internet Files\Content.IE5\LZRJDL0E\aprotectedpage[1].htm

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt

Link to post
Share on other sites

Still losing ram & I just tried agian to open ad-aware an it pops up but i dont get a chance to hit scan before its gone. Trendmicro scanned trojan an after 3 scans it was still coming back with stuff.

Logfile of HijackThis v1.99.1

Scan saved at 8:55:55 PM, on 2/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis.exe

O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Link to post
Share on other sites

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager"

Click "Save List" (generates uninstall_list.txt)

Click Save, copy and paste the results in your next post.

Download GMER from here:

http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.

Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.

Click on Scan.

When the scan has run click Copy and paste the results (if any) into this thread.

So, post back with the Uninstall List, and the GMER Report

Matt

Link to post
Share on other sites

K here is hjk uninstall -

Ad-Aware SE Personal

Adobe Flash Player 9 ActiveX

Adobe Photoshop 7.0

Avance AC'97 Audio

AVG Free Edition

Camera Driver

CompuApps SwissKnife V3

Digital Camera

ewido anti-malware

Free Ram Optimizer XP 1.0

Google Toolbar for Internet Explorer

GTK+ 2.8.9 runtime environment

HijackThis 1.99.1

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Icatch(IV) Camera Driver

iTunes

J2SE Runtime Environment 5.0 Update 6

Lexmark Z600 Series

LimeWire 4.12.6

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft User-Mode Driver Framework Feature Pack 1.0

Panda ActiveScan

Photo Explosion SE 2.0

Picturetrail Photo Editor 1.6.8

QuickTime

RealPlayer

Registry Mechanic 5.1

Security Task Manager 1.7

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB926247)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB929969)

STOPzilla!

TurboTax Deluxe Deduction Maximizer 2006

TurboTax ItsDeductible 2006

Update for Windows XP (KB894391)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Veo Stingray

Viewpoint Media Player

Windows Genuine Advantage v1.3.0254.0

Windows Installer 3.1 (KB893803)

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows Support Tools

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Uninstall

WinZip

Yahoo! Messenger

Yahoo! Photos Easy Upload Tool

ZoneAlarm

Here is GMER -

GMER 1.0.12.12027 - http://www.gmer.net

Rootkit scan 2007-02-15 22:07:23

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey

SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort

SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile

SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey

SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey

SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject

SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey

SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile

SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess

SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread

SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey

SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort

SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey

SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort

SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile

SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey

SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ B0, BE, 06, F5, C0, 26, 07, ... ]

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ B0, BE, 06, F5, C0, 26, 07, ... ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F507DA80] vsdatant.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7D4185A] avgtdi.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F507DA80] vsdatant.sys

---- EOF - GMER 1.0.12 ----

Link to post
Share on other sites

Welcome back.

The file I had you submit turned out to be a keylogger. This means that it is quite likely that a 3rd party has personal information of yours, such as usernames, passwords, etc. Once we are clean, I would highly advise you to change all of your passwords. I would also advise you to keep a close eye on any bank/credit card/paypal/ebay etc accounts that could be compromised.

Please scan with HJT and place a check next to the following item:

O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

Then make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

When done, post back with a new HJT log and an update on your symptoms.

Matt

Link to post
Share on other sites

Hi :) I can open ad-aware now & the scan shows some junk - also stopzilla is showing some stuff at start up. Trend micro shows stuff every scan (did 3) - memory is still low.

Heres hjk log

Logfile of HijackThis v1.99.1

Scan saved at 6:05:13 PM, on 2/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis.exe

O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Link to post
Share on other sites

It looks like you are just about clean. The RAM issue you are experiencing could be unrelated to malware.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Matt

Link to post
Share on other sites

Scanning type: Scan system for viruses, rootkits, spyware

Target: C:\

--------------------------------------------------------------------------------

Result: 2 malware found

Possible Browser Hijack attempt (spyware)

System (Disinfected)

W32/Smalldrp.GOJ (virus)

C:\WINDOWS\UNINST123.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 32366

System: 5975

Not scanned: 2

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

None: 1

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options

Scanning engines:

F-Secure Libra: 2.4.2, 2007-02-14

F-Secure AVP: 7.0.171, 2007-02-17

F-Secure Orion: 1.2.37, 2007-02-16

F-Secure Blacklight: 1.0.53, 0000-00-00

F-Secure Draco: 1.0.35, 2007-02-09

F-Secure Pegasus: 1.19.0, 2007-01-12

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX

Use Advanced heuristics

Link to post
Share on other sites

Please download FileFind from Atribune.

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

  • Click on FileFind.exe
  • In the box labeled "Directory"
    • Enter C:\

    [*]In the box labeled "File"

    • Enter UNINST123.EXE

    [*]Now click on the "Search" button

    [*]Once the utility has found the files click on "Export"

    [*]A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.

    [*]NOTE: The notepad is saved on your C:\ drive as "Export.txt"

Link to post
Share on other sites

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\uninst123.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Post back when you have done so with an update on your symptoms. After the file is analyzed, we can continue. :)

Link to post
Share on other sites

Ok Tabbydaze, the file was analyzed, and it appeared to be clean. Unfortunately, that doesn't help the situation you are currently in. :glare: Can you give me any information on what is coming up when you run scans? I am also going to have you run one more scan of mine.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please do an online scan with Kaspersky WebScanner

Note: this has to be run in Internet Explorer

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

Post back with the Kaspersky log, and keep me updated on any issues your computer is still having.

Matt

Link to post
Share on other sites

Hi - Kaspersky Online Scanner aint workin for me, says something about license key. I'll spend a litle time today doing more scans but seems thatr ad-aware picks a list of stuff up every time - trend micro showed stuff each scan as well - even after 3 scans. I havent been able to get on here an work on it - will try more today an send report in later :)

Thanks so much! Heres stopzilla scan below.....

Stopzilla scan -

Media-Codec (trojan)

hklm\software\microsoft\windows\currentversion\policies\explorer\run\rare

hklm\software\microsoft\windows\currentversion\policies\explorer\run\user32.dll

AntiVermins (rogue)

hklm\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}

hklm\software\microsoft\windows\currentversion\shellserviceobjectdelayload\exemplars

MarketScore (spyware,adware)

c:\windows\systems32\bsd.exe

BrilliantDigital (adware)

c:\documents and settings\johnston family\local settings\temporary internet files\content.ie518bw3wr\oscan8[1].cab

Link to post
Share on other sites

Alright, what you gave me has helped a lot! Let's continue!

Jotti File Submission:

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • c:\windows\systems32\bsd.exe

    [*] Click on the submit button

    [*] Please post the results in your next reply.

  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\documents and settings\johnston family\local settings\temporary internet files\content.ie518bw3wr\oscan8[1].cab

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Finally, post back with the Jotti Results, and the SmitFraudFix Report.

Matt

Link to post
Share on other sites

Hi - can you re-lead me somehow - copied that into jottis, wont open - have no clue where killbox is --- im so overwhelmed at this point that i am in tears... seems i recall using killbox in the start of this? but at this point i am lost.

Link to post
Share on other sites

here is the smitfraud scan.

SmitFraudFix v2.144

Scan done at 17:28:22.79, Thu 02/22/2007

Run from C:\Documents and Settings\Johnston Family\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is FAT32

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johnston Family

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johnston Family\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOHNST~1\FAVORI~1

C:\DOCUME~1\JOHNST~1\FAVORI~1\Antivirus Test Online.url FOUND !

C:\DOCUME~1\JOHNST~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

Alright, no worries. ;) Don't worry about Killbox right now, if we need we can go back to it later. Let's go on ahead.

Since you said Jotti wasn't working, we can submit the file to be personally analyzed like the others.

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: c:\windows\systems32\bsd.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Next:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Finally, post back with this new SmiFraudFix log, along with a new Stopzilla scan if you can. :)

Matt

Link to post
Share on other sites

I cant find this file - c:\windows\systems32\bsd.exe

Here is the smitfraud.

Thank you so much for all the help :D

SmitFraudFix v2.144

Scan done at 12:15:27.73, Fri 02/23/2007

Run from C:\Program Files\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is FAT32

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

here is a jottis scan windows/uninst123.exe.

Service load: 0% 100%

File: uninst123.exe

Status: INFECTED/MALWARE

MD5 6190e66131f6740b3c616b1839da5342

Packers detected: -

Scanner results

Scan taken on 23 Feb 2007 19:50:56 (GMT)

AntiVir Found ADSPY/DigInk.F adware

ArcaVir Found nothing

Avast Found Win32:Trojan-gen. {Other}

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found Adware/DigInk

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found W32/Smalldrp.GOJ

VirusBuster Found nothing

VBA32 Found nothing

Edited by Tabbydaze
Link to post
Share on other sites

Alright, let's try again with Killbox.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\uninst123.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Then, please post back a new Stopzilla Scan if possible.

Matt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.