Limewire virus?

First I have a suggestion to make. You should clean up this user's Desktop:

C:\Documents and Settings\Dhiren\Desktop

Cluttered Desktops are easy pray for malware and can also slow your PC down. In addition it is not a safe place to store things you may need. Move things to a safe, more properly named folder that is not on your Desktop. But to answer the pending question, yes ComboFix.exe needs to be there for now. We will remove after we finish your malware removal.

Your installation of Ad-Aware 2007 appears to be broken and it was not installed into the proper folder anyway. You should unintall it now.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O20 - Winlogon Notify: ajzzeebr - ajzzeebr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Spyware tools\aawservice.exe (file missing)
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::
SvcProc
 
File::
C:\Program Files\Messenger\mywiduho89104.dll
C:\WINDOWS\lu.dat
C:\WINDOWS\enhtb.dll
C:\WINDOWS\system32\ajzzeebr.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\svcproc.exe
 
Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\kp9
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ajzzeebr]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1239785-074D-49E6-856E-F6D56F33A068}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

After reboot, delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Dhiren\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes you did. Any post will bump you to the last place in the queue whether it is an intentional bump or not.

Did this just occur now or was it there since you first started this thread? Can you attach a readable snapshot of this so we can better understand what it looks like? Use a tool like below which is great for capture just rectangular areas. It is the second of four programs listed on the page.


FastStone Capture 6.0

After attaching this snapshot, apply the below registry patch and tell me if it fixes the red x.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

The same way you did before you came here. Are the problems that brought you here gone?


Do you have any games installed on this PC that required and anticheating or anticracking program to be installed. What I'm question is the below service that is hidden on your PC.

R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-08-02 16:37]

This is identified as two possible things. One is related to gaming (the anticheating/cracking - see http://www.bleepingcomputer.com/startups/SVKP-11523.html ) and the other is related to trojans. Many people condisered even the way games are using it to be malware.

Your logs are clean other than the above SVKP.sys file.

 

Possibly but it really does not matter since we are going to delete all of them anyway as part of our final cleanup. Any restore points could be infected and therefore need be removed and then you start from now with a clean PC making new restore points.

Normal.

That file has nothing to do with Roxio. It is either for anticheating or a trojan. Do you want to remove it? If yes use ComboFix as below; otherwise skipped to my final instructions.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::
SVKP
File::
C:\WINDOWS\System32\SVKP.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Your logs are clean and you did not have a badly infected PC. You are probably okay but there are not guarantees. That is just the way it is. If you are paranoid about security, you should delete your partition WITHOUT backing up any information, and the go thru a total reinstall. But if you don't keep your PC from getting malware by having proper protecion and learning good surfing habits then you will be doing this all the time.

You don't have any malware based on your logs. I don't know how many times you want to hear this. Again if you are that worried, reinstall but do not back anything up because if you are that paranoid you could be backing up malware.

This is just another reason why the How to protect yourself thread specifies not to use P2P programs. Some programs due bad things like this and create folders in C:\Docments and Settings to give themselves useraccount like folders. Sorry you or another user of the PC installed Limewire. And if you are so concerned about security as your questions imply, then why did you install a P2P program. You can just delete these TEMP folders.

No! We are finished. You could run a dozen other scans and you may see that each finds a few miscellaneous things but you don't have any major active malware based on your logs.

You did not attach anything. Did you actually perform the procedure with ComboFix? if you still have an old log date, it means you did not run the procedure.

You can delete quarantine files from any scanner as soon as you are sure you do not need them. They just serve as backups just incase something is deleted that should not be.

Read the how to protect yourself link again and don't use any P2P programs or torrent programs. They will open folders for sharing. Also since you are so worried about security, stay off of the online casino and poker sites.

No! We did not ask you to run anything in safe boot mode. We would only do that if having problems removing something.