help! Computer #2

mlydell · Oct 9, 2006

This is my second computer. I posted the first one last night. This is my sons and the worst so far.I was able to run all the scans except for Panda - IE kept popping up and then shut down all the windows so i couldnt finish it.Now the button for attachments is missing. What should i do - post them in the post?I HAVENT TOGGLED SYSTEM RESTORE AS IT SAID TO WAIT UNTIL ALL MALWARE WAS GONE AND THIS ONE IS FAR FROM CLEAN.Please help asap!! Thanks!

mlydell · Oct 10, 2006

I've tried seveal times to get a post to come up that will let me attach the logs. The button is just missing. I know this is long, but here is the HijackThis log - will this help?

Thanks

DavidGP · Oct 10, 2006

Hi if you cannot post the others after running through the whole guide post them in-line and one of us will attach them.

mlydell · Oct 11, 2006

I've messed myself up....

Since I have 4 posts going on 4 computers I managed to mix up which one was which cuz I didnt look at my notes carefully enough.

This post is for computer #2, and I read the reply from chaslang to run a scan and repost logs, which I did, but i did it on this computer. I downloaded and ran a look2me tool, and reposted the logs. I'll go correct it on that thread later, but i'm attaching the current logs from this computer.

I'm not able to attach posts, so something must have got fixed.

These logs are the first ones I ran - bdscan and runkeys. i'll put another reply on this post with the new logs from today - an updated HJT and NewFiles log.

I wasnt able to complete the panda scan.

mlydell · Oct 11, 2006

Here are todays logs:

HJT LOg:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:31 PM, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defendear\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Yinstall.exe
C:\windows\system32\stonedrv.exe
C:\WINDOWS\sys10-455325707.exe
C:\dfndrff_e25.exe
C:\kybrdff_e24.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\{E4DC47F5-06FE-1033-0124-060503140001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\Batty2\Batty2.exe
C:\Program Files\CMFibula\CMFibula.exe
C:\WINDOWS\system32\SSTEM~1\notepad.exe
C:\WINDOWS\??mantec\logonui.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analysis.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
R3 - URLSearchHook: (no name) - {99F9C78D-584A-54C3-3BE5-26800B4B549E} - C:\WINDOWS\system32\ovpc.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {99F9C78D-584A-54C3-3BE5-26800B4B549E} - C:\WINDOWS\system32\ovpc.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\X Password Manager\iesplugin.dll (file missing)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\Yinstall.exe
O4 - HKLM\..\Run: [ndr5fffa] RUNDLL32.EXE w51e21bc.dll,n 0055fff50000000351e21bc
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [sys10-455325707] C:\WINDOWS\sys10-455325707.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e25.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e24.exe
O4 - HKLM\..\Run: [SvcManager] alg0.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\SSTEM~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Relb] C:\WINDOWS\??mantec\logonui.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148238211484
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{795A1E05-28BC-4B89-8F1D-46D4DD216D41}: NameServer = 10.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{795A1E05-28BC-4B89-8F1D-46D4DD216D41}: NameServer = 10.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{795A1E05-28BC-4B89-8F1D-46D4DD216D41}: NameServer = 10.0.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

==================
New Files Log:

******************************************************************************
* ShowNew.Bat - (c) 07/01/2006 By Chaslang *
* *
* 09/28/2006 Version 0.18 beta - Added display of *
* - if OS is not supported, print to log file *
* - C:\Documents and Settings\All Users\Start Menu *
* - C:\Documents and Settings\All Users\Desktop *
* - Username\Application Data\*.* *
* - Username\Local Settings\Application Data\*.* *
* - AllUserName\Local Settings\Application Data\*.* *
******************************************************************************
* Most of the information reported below is not necessarily bad. You must *
* not take any steps on any of these lines without consulting an expert. *
******************************************************************************

Windows OS is

Microsoft Windows XP [Version 5.1.2600]
It's Mon October 9, 2006 11:46:54 PM

******************************************************************************
ShowNew installation folder and files

"C:\Cleanup\ShowNew\ShowNew\"
grep.exe Apr 14 2003 80412 "grep.exe"
locate.com Jan 13 2005 11254 "locate.com"
ltime.exe Oct 28 1986 13184 "ltime.exe"
shownew.bat Sep 28 2006 31158 "ShowNew.bat"

4 items found: 4 files, 0 directories.
Total of file sizes: 136,008 bytes 132.82 K

******************************************************************************

System Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIANLAP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\BRIANLAP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=BRIANLAP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

******************************************************************************

Showing any Pocket Killbox backup files

No matches found.

******************************************************************************

Not All Files Found are bad files: DO NOT TOUCH THEM WITHOUT EXPERT HELP!!!!
******************************************************************************

Locating all files created in C:\Documents and Settings\Owner\Desktop within the last 90 days.

"C:\Documents and Settings\Owner\Desktop\"
ccleaner.lnk Oct 8 2006 1548 "CCleaner.lnk"
DC Aug 3 2006 "DC"
DOCSAN~1 Jul 13 2006 "Docs and files"
dotnetfx.exe Oct 1 2006 23510720 "dotnetfx.exe"
dotnet~1.exe Oct 1 2006 24265736 "dotnetfx(2).exe"
FCEU-0~1.WIN Aug 3 2006 "fceu-0.98.12.win"
ipodcopy.lnk Oct 2 2006 2419 "iPodCopy.lnk"
IPODCO~1 Oct 1 2006 "iPodCopy57"
ipodco~1.zip Oct 1 2006 1155635 "iPodCopy57.zip"
IPODRIP Oct 1 2006 "iPodRip"
ipodrip.dmg Oct 1 2006 1164984 "iPodRip.dmg"
ipodrip.lnk Oct 1 2006 2477 "iPodRip.lnk"
ipodrip.zip Oct 1 2006 709525 "iPodRip.zip"
laptop~1.doc Oct 8 2006 19968 "Laptop Cleanup logs.doc"
LOGSBR~1 Oct 9 2006 "Logs BrianLap"
look2m~1.exe Oct 9 2006 40960 "Look2Me-Destroyer.exe"
look2m~1.txt Oct 9 2006 783 "Look2Me-Destroyer.txt"
MUSIC Oct 1 2006 "Music"
ndp11s~1.exe Oct 1 2006 10703680 "NDP1.1sp1-KB867460-X86.exe"
playl2~1.lnk Jul 24 2006 783 "Play L2extreme.lnk"
setup.exe Oct 1 2006 111366152 "setup.exe"
shortc~1.lnk Oct 8 2006 376 "Shortcut to Cleanup.lnk"
shortc~2.lnk Oct 9 2006 661 "Shortcut to analysis.exe.lnk"
spybot~1.lnk Oct 8 2006 933 "Spybot - Search & Destroy.lnk"
WGENS211 Aug 4 2006 "wgens211"
ZSNES Aug 4 2006 "ZSNES"

26 items found: 17 files, 9 directories.
Total of file sizes: 172,947,340 bytes 164.93 M
******************************************************************************

Locating all files created in C:\Documents and Settings\Owner\Start Menu\Programs\Startup within the last 90 days.

"C:\Documents and Settings\Owner\Start Menu\Programs\Startup\"
webshots.lnk Jul 17 2006 676 "Webshots.lnk"

1 item found: 1 file, 0 directories.
Total of file sizes: 676 bytes 0.66 K
******************************************************************************

Locating all files created in C:\Documents and Settings\All Users\Start Menu within the last 90 days.

"C:\Documents and Settings\All Users\Start Menu\"
online~1.url Sep 13 2006 119 "Online Security Guide.url"
securi~1.url Sep 13 2006 117 "Security Troubleshooting.url"

2 items found: 2 files, 0 directories.
Total of file sizes: 236 bytes 0.23 K
******************************************************************************

Locating all files created in C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\Documents and Settings\All Users\Desktop\ within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\Documents and Settings\Owner\Application Data\ within the last 90 days.

"C:\Documents and Settings\Owner\Application Data\"
GOOGLE Sep 10 2006 "Google"
IGN_DLM Jul 21 2006 "IGN_DLM"
MOZILLA Jul 28 2006 "Mozilla"
MP3ROC~1 Jul 19 2006 "MP3Rocket"
SUN Jul 28 2006 "Sun"
TALKBACK Jul 28 2006 "Talkback"
THUNDE~1 Jul 28 2006 "Thunderbird"

7 items found: 0 files, 7 directories.
******************************************************************************

Locating all files created in C:\Documents and Settings\Owner\Local Settings\Application Data\ within the last 90 days.

"C:\Documents and Settings\Owner\Local Settings\Application Data\"
APPLIC~1 Oct 1 2006 "ApplicationHistory"
gdipfo~1.dat Jul 23 2006 40144 "GDIPFONTCACHEV1.DAT"
iconca~1.db Oct 9 2006 4315074 "IconCache.db"
MICROS~2 Oct 1 2006 "Microsoft Help"
MOZILLA Jul 28 2006 "Mozilla"
THUNDE~1 Jul 28 2006 "Thunderbird"

6 items found: 2 files (1 H/S), 4 directories.
Total of file sizes: 4,355,218 bytes 4.15 M
******************************************************************************

Locating all files created in C:\Documents and Settings\All Users\Application Data\ within the last 90 days.

"C:\Documents and Settings\All Users\Application Data\"
GOOGLE Sep 6 2006 "Google"
MICROS~2 Oct 1 2006 "Microsoft Help"
qtsban~1 Aug 27 2006 1350 "QTSBandwidthCache"

3 items found: 1 file, 2 directories.
Total of file sizes: 1,350 bytes 1.32 K
******************************************************************************

Locating all files created in C:\Program Files\ within the last 90 days.

"C:\Program Files\"
BATTY2 Oct 8 2006 "Batty2"
BROWSE~1 Jul 23 2006 "Browser Hijack Recover"
CMFIBULA Oct 5 2006 "CMFibula"
DESKBAR Oct 5 2006 "Deskbar"
HJT Oct 8 2006 "HJT"
IGN Jul 21 2006 "IGN"
INETGET2 Oct 9 2006 "InetGet2"
IPOD Jul 20 2006 "iPod"
ITUNES Jul 20 2006 "iTunes"
LINEAG~1 Jul 22 2006 "Lineage II"
MICROS~1.NET Oct 1 2006 "Microsoft.NET"
MICROS~2.NET Oct 1 2006 "Microsoft Visual Studio .NET 2003"
MOZILL~1 Jul 28 2006 "Mozilla Firefox"
MOZILL~2 Jul 28 2006 "Mozilla Thunderbird"
MP3ROC~1 Jul 19 2006 "MP3 Rocket"
NRBSOF~1 Oct 2 2006 "nrbsoftware"
PSDREAM Oct 5 2006 "PSDream"
SECURI~1 Jul 23 2006 "Security Toolbar"
SPYWAR~1 Jul 23 2006 "Spyware Doctor"
THELIT~1 Oct 1 2006 "The Little App Factory"
VIRUS-~1 Sep 13 2006 "Virus-Burst"
WINDOW~4 Oct 8 2006 "Windows Defender"
WINRAR Jul 24 2006 "WinRAR"

23 items found: 0 files, 23 directories.
******************************************************************************

Locating all files created in C:\Program Files\Common Files\ within the last 90 days.

"C:\Program Files\Common Files\"
DIRECTX Aug 3 2006 "DirectX"
yazzle~1.exe Aug 16 2006 153600 "Yazzle1122OinAdmin.exe"
yazzle~2.exe Oct 9 2006 93633 "Yazzle1122OinUninstaller.exe"
{34DC4~1 Oct 5 2006 "{34DC47F5-06FE-1033-0124-060503140001}"
{E4DC4~1 Oct 8 2006 "{E4DC47F5-06FE-1033-0124-060503140001}"

5 items found: 2 files (2 H/S), 3 directories.
Total of file sizes: 247,233 bytes 241.44 K
******************************************************************************

Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 120 days.

"C:\Program Files\Common Files\Microsoft Shared\Web Folders\"
ibm00001.dll Oct 9 2006 76288 "ibm00001.dll"
ibm00001.exe Oct 9 2006 1024 "ibm00001.exe"
ibm00002.dll Oct 9 2006 65536 "ibm00002.dll"

3 items found: 3 files, 0 directories.
Total of file sizes: 142,848 bytes 139.50 K
******************************************************************************

Locating all files created in C:\ within the last 90 days.

"C:\"
$VAULT$.AVG Oct 5 2006 "$VAULT$.AVG"
bjxqyir.exe Oct 9 2006 1465 "bjxqyir.exe"
CLEANUP Oct 8 2006 "Cleanup"
clqbvkox.exe Oct 9 2006 15104 "clqbvkox.exe"
dbg.txt Oct 5 2006 179 "dbg.txt"
deskbar.exe Sep 19 2006 251352 "deskbar.exe"
deskba~1.exe Oct 5 2006 659697 "deskbar_e21.exe"
deskba~2.exe Oct 9 2006 671985 "deskbar_e25.exe"
dfndrf~1.exe Oct 9 2006 376832 "dfndrff_e25.exe"
dfndrf~2.exe Oct 6 2006 372736 "dfndrff_e24.exe"
kybrdf~2.exe Oct 6 2006 364544 "kybrdff_e24.exe"
mcydp.exe Oct 9 2006 76800 "mcydp.exe"
newfiles.txt Oct 9 2006 12026 "newfiles.txt"
nwnmff~2.exe Oct 6 2006 364544 "nwnmff_e24.exe"
ovard.exe Oct 9 2006 77312 "ovard.exe"
ovvpecjh.exe Oct 5 2006 1465 "ovvpecjh.exe"
pagefile.sys Oct 9 2006 1509949440 "pagefile.sys"
runkeys.txt Oct 9 2006 15181 "runkeys.txt"
tmpnew~1.txt Oct 9 2006 8198 "tmpnewfiles.txt"
uniq Oct 9 2006 0 "uniq"
ydiegyf.exe Oct 9 2006 40958 "ydiegyf.exe"

21 items found: 19 files (1 H/S), 2 directories (1 H/S).
Total of file sizes: 1,513,259,818 bytes 1.41 G
******************************************************************************

Locating all files created in C:\WINDOWS\Downloaded Program Files\ within the last 90 days.

"C:\WINDOWS\Downloaded Program Files\"
asinst.dll Aug 24 2006 141424 "asinst.dll"
asinst.inf Aug 22 2006 537 "asinst.inf"
speedt~1.dll Oct 9 2006 205264 "speedtest2.dll"

3 items found: 3 files, 0 directories.
Total of file sizes: 347,225 bytes 339.09 K
******************************************************************************

Locating .EXE files created in C:\WINDOWS within the last 360 days.

"C:\WINDOWS\"
876056.exe Jun 19 2006 139264 "876056.exe"
bdosca~1.exe May 25 2006 53248 "bdoscandel.exe"
c.exe Oct 5 2006 115712 "c.exe"
duce6.exe Oct 5 2006 106496 "Duce6.exe"
jcjwpual.exe Oct 6 2006 32768 "jcjwpual.exe"
mny.exe Oct 5 2006 115947 "mny.exe"
srvoxm~1.exe Oct 5 2006 217276 "srvoxmxmap.exe"
srvyko~1.exe Oct 5 2006 183478 "srvykoccsc.exe"
sys10-~1.exe Oct 5 2006 163840 "sys10-455325707.exe"
uninst~1.exe Sep 15 2006 53248 "uninst108.exe"
uni_e6h.exe Sep 15 2006 53248 "uni_e6h.exe"
yinstall.exe Oct 5 2006 176640 "Yinstall.exe"

12 items found: 12 files, 0 directories.
Total of file sizes: 1,411,165 bytes 1.34 M
******************************************************************************

Locating .EXE files created in C:\WINDOWS\system32 within the last 90 days.

"C:\WINDOWS\system32\"
asuninst.exe Aug 2 2006 73728 "asuninst.exe"
c.exe Oct 5 2006 115712 "c.exe"
fltmc.exe Aug 21 2006 23040 "fltmc.exe"
mny.exe Oct 5 2006 115947 "mny.exe"
mrt.exe Sep 11 2006 8960936 "MRT.exe"
stonedrv.exe Oct 9 2006 15104 "stonedrv.exe"
themat~1.exe Oct 9 2006 1232 "TheMatrixHasYou.exe"
wintsu.exe Oct 9 2006 2 "wintsu.exe"

8 items found: 8 files, 0 directories.
Total of file sizes: 9,305,701 bytes 8.87 M
******************************************************************************

Locating .DLL files created in C:\WINDOWS within the last 360 days.

No matches found.
******************************************************************************

Locating .DLL files created in C:\WINDOWS\System32 within the last 90 days.

"C:\WINDOWS\system32\"
battyr~1.dll Aug 7 2006 61440 "BattyRun2.dll"
fltlib.dll Aug 21 2006 16896 "fltlib.dll"
hlink.dll Jul 21 2006 72704 "hlink.dll"
inetcomm.dll Jul 27 2006 679424 "inetcomm.dll"
mshtml.dll Jul 28 2006 3058176 "mshtml.dll"
netapi32.dll Jul 14 2006 332288 "netapi32.dll"
oqabf.dll Sep 13 2006 176128 "oqabf.dll"
ovpc.dll Aug 31 2006 126976 "ovpc.dll"
shell32.dll Jul 13 2006 8453632 "shell32.dll"
urlmon.dll Jul 25 2006 615424 "urlmon.dll"

10 items found: 10 files, 0 directories.
Total of file sizes: 13,593,088 bytes 12.96 M
******************************************************************************

Locating .TMP files created in C:\WINDOWS\System32 within the last 90 days.

No matches found.
******************************************************************************

Locating .INI files created in C:\WINDOWS\System32 within the last 90 days.

"C:\WINDOWS\system32\"
inistone.ini Oct 5 2006 0 "inistone.ini"
perfst~1.ini Oct 1 2006 459792 "PerfStringBackup.INI"

2 items found: 2 files, 0 directories.
Total of file sizes: 459,792 bytes 449.02 K
******************************************************************************

Locating .DAT files created in C:\WINDOWS\System32 within the last 90 days.

"C:\WINDOWS\system32\"
fntcache.dat Jul 23 2006 160344 "FNTCACHE.DAT"
perfc009.dat Oct 1 2006 62688 "perfc009.dat"
perfh009.dat Oct 1 2006 401192 "perfh009.dat"

3 items found: 3 files, 0 directories.
Total of file sizes: 624,224 bytes 609.59 K
******************************************************************************

Locating all files created in C:\WINDOWS\System32\components within the last 90 days.
This folder is now being used by Trojan.FakeAlert.CX aka SmitFraud

No matches found.
******************************************************************************

Locating C:\WINDOWS\TEMP files created with in the last 90 days.

"C:\WINDOWS\Temp\"
$_2341~1.tmp Oct 9 2006 27606 "$_2341234.TMP"
$_2341~2.tmp Oct 9 2006 48172 "$_2341233.TMP"
$_2341~3.tmp Oct 9 2006 8 "$_2341235.TMP"
ASHEUR~1 Oct 9 2006 "ASHeuristic"
COOKIES Oct 8 2006 "Cookies"
HISTORY Oct 8 2006 "History"
mpcmdrun.log Oct 9 2006 634 "MpCmdRun.log"
TEMPOR~1 Oct 8 2006 "Temporary Internet Files"
WEBSHO~1 Oct 8 2006 "WebshotsTemp"
wgaerr~1.txt Oct 9 2006 255 "WGAErrLog.txt"
wganot~1.set Oct 9 2006 409 "WGANotify.settings"
~df967a.tmp Oct 9 2006 16384 "~DF967A.tmp"

12 items found: 7 files (2 H/S), 5 directories (3 H/S).
Total of file sizes: 93,468 bytes 91.28 K
******************************************************************************

Locating C:\Documents and Settings\Owner\Local Settings\TEMP files created within the last 90 days.

"C:\Documents and Settings\Owner\Local Settings\Temp\"
$b17a2e8.tmp Oct 9 2006 0 "$b17a2e8.tmp"
AUOS Oct 9 2006 "Auos"
b116.exe Oct 9 2006 231252 "b116.exe"
COOKIES Oct 8 2006 "Cookies"
dfc5a2b2.tmp Oct 6 2006 121 "DFC5A2B2.TMP"
HISTORY Oct 8 2006 "History"
newspl~1.exe Oct 9 2006 7680 "newsploit.exe"
TEMPOR~1 Oct 8 2006 "Temporary Internet Files"
VBE Oct 8 2006 "VBE"
WEBSHO~1 Oct 8 2006 "WebshotsTemp"

10 items found: 4 files (1 H/S), 6 directories (3 H/S).
Total of file sizes: 239,053 bytes 233.45 K
******************************************************************************

Locating .COM files in the C:\WINDOWS\System32 folder

"C:\WINDOWS\system32\"
chcp.com Aug 4 2004 7680 "chcp.com"
command.com Aug 4 2004 50620 "command.com"
diskcomp.com Aug 4 2004 9216 "diskcomp.com"
diskcopy.com Aug 4 2004 7168 "diskcopy.com"
edit.com Aug 4 2004 69886 "edit.com"
format.com Aug 4 2004 25600 "format.com"
graftabl.com Aug 4 2004 26112 "graftabl.com"
graphics.com Aug 4 2004 19694 "graphics.com"
kb16.com Aug 4 2004 14710 "kb16.com"
loadfix.com Aug 4 2004 1131 "loadfix.com"
locate.com Jan 13 2005 11254 "locate.com"
mode.com Aug 4 2004 19456 "mode.com"
more.com Aug 4 2004 15872 "more.com"
tree.com Aug 4 2004 11264 "tree.com"
win.com Aug 4 2004 18432 "win.com"

15 items found: 15 files, 0 directories.
Total of file sizes: 308,095 bytes 300.87 K
******************************************************************************

Checking for .COM files to Delete. They will only print if deleted!

******************************************************************************

Dumping HKLM Uninstall Programs list

"DisplayName"="Ad-Aware SE Personal"
"DisplayName"="Adobe Creative Suite"
"DisplayName"="Adobe Reader 7.0"
"DisplayName"="Adobe Shockwave Player"
"DisplayName"="Adobe SVG Viewer 3.0"
"DisplayName"="America's Army"
"DisplayName"="ATI - Software Uninstall Utility"
"DisplayName"="ATI Control Panel"
"DisplayName"="ATI Display Driver"
"DisplayName"="AVG Free Edition"
"DisplayName"="Broadcom 802.11 Network Adapter"
"DisplayName"="Browser Address Error Redirector"
"DisplayName"="Browser Hijack Recover(BHR) 2.3"
"DisplayName"="CCleaner (remove only)"
"DisplayName"="Conexant AC-Link Audio"
"DisplayName"="DVD Solution"
"DisplayName"="GameSpy Arcade"
"DisplayName"="Google Toolbar for Internet Explorer"
"DisplayName"="HijackThis 1.99.1"
"DisplayName"="Hotfix for Windows XP (KB893357)"
"DisplayName"="Hotfix for Windows XP (KB895953)"
"DisplayName"="Hotfix for Windows XP (KB896256)"
"DisplayName"="Hotfix for Windows XP (KB896344)"
"DisplayName"="Hotfix for Windows XP (KB906569)"
"DisplayName"="IGN Download Manager 2.2.1"
"DisplayName"="InterActual Player"
"DisplayName"="Internet Explorer Security Plugin 2006"
"DisplayName"="Internet Security Add-On"
"DisplayName"="iPodCopy"
"DisplayName"="iPodRip"
"DisplayName"="iTunes"
"DisplayName"="iTunes"
"DisplayName"="J2SE Runtime Environment 5.0 Update 2"
"DisplayName"="LimeWire 4.12.6"
"DisplayName"="Lineage II"
"DisplayName"="Macromedia Flash Player 8"
"DisplayName"="MediaTickets by OIN"
"DisplayName"="Microsoft .NET Framework 1.1"
"DisplayName"="Microsoft .NET Framework 2.0"
"DisplayName"="Microsoft .NET Framework 2.0"
"DisplayName"="Microsoft .NET Framework SDK (English) 1.1"
"DisplayName"="Microsoft Digital Image Library 9 - Blocker"
"DisplayName"="Microsoft Digital Image Starter Edition 2006 Editor"
"DisplayName"="Microsoft Digital Image Starter Edition 2006 Library"
"DisplayName"="Microsoft Digital Image Starter Edition 2006"
"DisplayName"="Microsoft Halo"
"DisplayName"="Microsoft Office Standard Edition 2003"
"DisplayName"="Microsoft Works"
"DisplayName"="Mozilla Firefox (1.5.0.7)"
"DisplayName"="Mozilla Thunderbird (1.5)"
"DisplayName"="MSN Messenger 7.5"
"DisplayName"="MSXML 4.0 SP2 Parser and SDK"
"DisplayName"="Napster Burn Engine"
"DisplayName"="Napster"
"DisplayName"="Panda ActiveScan"
"DisplayName"="Power2Go 4.0"
"DisplayName"="PowerDVD"
"DisplayName"="Public Messenger ver 2.03"
"DisplayName"="QuickTime"
"DisplayName"="QuickTime"
"DisplayName"="Recovery Software Suite Gateway"
"DisplayName"="Safety Alerter 2006"
"DisplayName"="Search Bar"
"DisplayName"="Security Toolbar"
"DisplayName"="Security Update for Microsoft .NET Framework 2.0 (KB917283)"
"DisplayName"="Security Update for Step By Step Interactive Training (KB898458)"
"DisplayName"="Security Update for Windows Media Player (KB911564)"
"DisplayName"="Security Update for Windows Media Player 10 (KB911565)"
"DisplayName"="Security Update for Windows Media Player 10 (KB917734)"
"DisplayName"="Security Update for Windows XP (KB883939)"
"DisplayName"="Security Update for Windows XP (KB890046)"
"DisplayName"="Security Update for Windows XP (KB893756)"
"DisplayName"="Security Update for Windows XP (KB896358)"
"DisplayName"="Security Update for Windows XP (KB896422)"
"DisplayName"="Security Update for Windows XP (KB896423)"
"DisplayName"="Security Update for Windows XP (KB896424)"
"DisplayName"="Security Update for Windows XP (KB896428)"
"DisplayName"="Security Update for Windows XP (KB896688)"
"DisplayName"="Security Update for Windows XP (KB899587)"
"DisplayName"="Security Update for Windows XP (KB899588)"
"DisplayName"="Security Update for Windows XP (KB899589)"
"DisplayName"="Security Update for Windows XP (KB899591)"
"DisplayName"="Security Update for Windows XP (KB900725)"
"DisplayName"="Security Update for Windows XP (KB901017)"
"DisplayName"="Security Update for Windows XP (KB901190)"
"DisplayName"="Security Update for Windows XP (KB901214)"
"DisplayName"="Security Update for Windows XP (KB902400)"
"DisplayName"="Security Update for Windows XP (KB903235)"
"DisplayName"="Security Update for Windows XP (KB904706)"
"DisplayName"="Security Update for Windows XP (KB905414)"
"DisplayName"="Security Update for Windows XP (KB905749)"
"DisplayName"="Security Update for Windows XP (KB905915)"
"DisplayName"="Security Update for Windows XP (KB908519)"
"DisplayName"="Security Update for Windows XP (KB911280)"
"DisplayName"="Security Update for Windows XP (KB911562)"
"DisplayName"="Security Update for Windows XP (KB911567)"
"DisplayName"="Security Update for Windows XP (KB911927)"
"DisplayName"="Security Update for Windows XP (KB912812)"
"DisplayName"="Security Update for Windows XP (KB912919)"
"DisplayName"="Security Update for Windows XP (KB913446)"
"DisplayName"="Security Update for Windows XP (KB913580)"
"DisplayName"="Security Update for Windows XP (KB914388)"
"DisplayName"="Security Update for Windows XP (KB914389)"
"DisplayName"="Security Update for Windows XP (KB916281)"
"DisplayName"="Security Update for Windows XP (KB917159)"
"DisplayName"="Security Update for Windows XP (KB917344)"
"DisplayName"="Security Update for Windows XP (KB917422)"
"DisplayName"="Security Update for Windows XP (KB917953)"
"DisplayName"="Security Update for Windows XP (KB918439)"
"DisplayName"="Security Update for Windows XP (KB918899)"
"DisplayName"="Security Update for Windows XP (KB919007)"
"DisplayName"="Security Update for Windows XP (KB920214)"
"DisplayName"="Security Update for Windows XP (KB920670)"
"DisplayName"="Security Update for Windows XP (KB920683)"
"DisplayName"="Security Update for Windows XP (KB920685)"
"DisplayName"="Security Update for Windows XP (KB921398)"
"DisplayName"="Security Update for Windows XP (KB921883)"
"DisplayName"="Security Update for Windows XP (KB922616)"
"DisplayName"="Security Update for Windows XP (KB925486)"
"DisplayName"="Soft Data Fax Modem with SmartCP"
"DisplayName"="Spybot - Search & Destroy 1.4"
"DisplayName"="Synaptics Pointing Device Driver"
"DisplayName"="Texas Instruments PCIxx21/x515/xx12 drivers."
"DisplayName"="TIPCI"
"DisplayName"="Update for Windows XP (KB894391)"
"DisplayName"="Update for Windows XP (KB896727)"
"DisplayName"="Update for Windows XP (KB898461)"
"DisplayName"="Update for Windows XP (KB900485)"
"DisplayName"="Update for Windows XP (KB908531)"
"DisplayName"="Update for Windows XP (KB910437)"
"DisplayName"="Update for Windows XP (KB916595)"
"DisplayName"="Update for Windows XP (KB920872)"
"DisplayName"="Update for Windows XP (KB922582)"
"DisplayName"="Viewpoint Media Player"
"DisplayName"="WebFldrs XP"
"DisplayName"="Webshots Desktop"
"DisplayName"="Windows Backup Utility"
"DisplayName"="Windows Defender Signatures"
"DisplayName"="Windows Defender"
"DisplayName"="Windows Genuine Advantage Notifications (KB905474)"
"DisplayName"="Windows Genuine Advantage Validation Tool"
"DisplayName"="Windows Installer 3.1 (KB893803)"
"DisplayName"="Windows Installer 3.1 (KB893803)"
"DisplayName"="Windows Media Format Runtime"
"DisplayName"="Windows Media Player 10"
"DisplayName"="Windows XP Hotfix - KB834707"
"DisplayName"="Windows XP Hotfix - KB867282"
"DisplayName"="Windows XP Hotfix - KB873333"
"DisplayName"="Windows XP Hotfix - KB873339"
"DisplayName"="Windows XP Hotfix - KB885250"
"DisplayName"="Windows XP Hotfix - KB885835"
"DisplayName"="Windows XP Hotfix - KB885836"
"DisplayName"="Windows XP Hotfix - KB885884"
"DisplayName"="Windows XP Hotfix - KB886185"
"DisplayName"="Windows XP Hotfix - KB887472"
"DisplayName"="Windows XP Hotfix - KB887742"
"DisplayName"="Windows XP Hotfix - KB888113"
"DisplayName"="Windows XP Hotfix - KB888239"
"DisplayName"="Windows XP Hotfix - KB888302"
"DisplayName"="Windows XP Hotfix - KB890047"
"DisplayName"="Windows XP Hotfix - KB890175"
"DisplayName"="Windows XP Hotfix - KB890859"
"DisplayName"="Windows XP Hotfix - KB890923"
"DisplayName"="Windows XP Hotfix - KB891781"
"DisplayName"="Windows XP Hotfix - KB893066"
"DisplayName"="Windows XP Hotfix - KB893086"
"DisplayName"="WinRAR archiver"
"DisplayName"="Xfire (remove only)"

chaslang · Oct 12, 2006

This is too confusing! Finish your other PCs first and then resume working on this PC. Also explain why you cannot attach logs!

I'm not sure which logs are for which PC in this thread anymore. I do see a serious password stealer in your runkeys.txt log in message # 4. So I want to give you the below important information immediately.

NOTE: The below files were seen in your logs:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

This is a dangerous password stealer. You really should follow thru with the below instructions for your own financial security.

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Click to expand...

chaslang · Oct 12, 2006

You can also do the below three procedures highlighted in three separate quote boxes.

I'm going to post two messages related to SmitFraudFix! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

MAKE SURE TO ATTACH THE ABOVE rapport.txt before continuing or else you will overwrite it.

This is the second message about SmitFraudFix. Make sure you have follow the first procedure before doing the below.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall!
Click to expand...

Now also attach new logs from HJT, GetRunKey and ShowNew.

mlydell · Oct 17, 2006

This is still a strange computer.

When i boot it up, a dialogue box comes up saying
"Unable to load w51e21bc.dll The specified module could not be found"

There are also Windows updates it wants to install, but i've been holding off while we get through this process.

When i launched firefox, another box came up that said "Run-time error '35764' Still executing last request."

I had to boot twice - i got the blue screen of death last time. I ran the reports a couple days ago and uploaded them, but i see today that post is gone, so here they are again.

chaslang · Oct 19, 2006

Start by downloading a tool we will need- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PSDream"=-
"stonedrv"=-
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"Cpue"=-
"Relb"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ndr5fffa"=-
"stonedrv"=-
"sys10-455325707"=-
"SvcManager"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"stonedrv"=-
Click to expand...

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\ydiegyf.exe
C:\bjxqyir.exe
C:\clqbvkox.exe
C:\ovvpecjh.exe
C:\ovard.exe
C:\mcydp.exe
C:\WINDOWS\c.exe
C:\WINDOWS\jcjwpual.exe
C:\WINDOWS\mny.exe
C:\WINDOWS\srvoxmxmap.exe
C:\WINDOWS\srvykoccsc.exe
C:\WINDOWS\sys10-455325707.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\Yinstall.exe
C:\WINDOWS\system32\c.exe
C:\WINDOWS\system32\gfsup.dll
C:\WINDOWS\system32\mny.exe
C:\WINDOWS\system32\ndr5fffa.sys
C:\WINDOWS\system32\stonedrv.exe
C:\WINDOWS\system32\w51e21bc.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete it if found:
C:\Program Files\PSDream
Now attach a the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

mlydell · Oct 24, 2006

Here are the new logs. The first time i booted the computer up, as i was logging on to the internet the blue screen came up and it crashed and rebooted.

On restart everything went as you listed.

Attached are the new logs.

THERE ARE NEW UPDATES - SHOULD I HOLD OFF ON THOSE FOR NOW OR INSTALL THEM?

chaslang · Oct 25, 2006

mlydell said:

THERE ARE NEW UPDATES - SHOULD I HOLD OFF ON THOSE FOR NOW OR INSTALL THEM?
Click to expand...

No, please don't do any updating at all. And don't install anything unless I ask you to install it!

Goto Add/Remove Programs and uninstall the below:
J2SE Runtime Environment 5.0 Update 2
MediaTickets by OIN
Viewpoint Media Player
Yazzle by OIN

Now install the current version of Sun Java from: Sun Java Runtime Environment

Run Pocket Killbox and select File, Cleanup, Delete All Backups!

Now in Killbox Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Owner\Desktop\TagASaurus.exe
C:\Program Files\Common Files\Y1324OU.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\WINDOWS\Downloaded Program Files\speedtest2.dll
C:\WINDOWS\109uninst.exe
C:\WINDOWS\876056.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\ms04325707-455.exe
C:\WINDOWS\uni_7eh.exe
C:\WINDOWS\system32\inistone.ini

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete it if found:C:\Program Files\PSCastor
C:\Program Files\PSDream <--- I asked you to delete this last time!!

Now attach a the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

mlydell · Oct 27, 2006

I started the computer back up, and when i opened up the control panel, i got the BSOD and it shut down.

Restarted and removed the programs you asked. It said that MediaTickets had already been removed and asked me if I wanted to remove it from the list of progams. I said yes.

The rest of them removed ok.

Ran killbox with all the steps you listed. WhenI rebooted, and the desktop came back, a box came up saying it could not find
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll.

I found the folders PSCastor and PSDream- it would not let me delete PSCastor.I rebooted and tried to delete again. Both times it kept telling me access was denied. I opened up the folder to see if I could start by deleting the files in the folder, and it told me the same thing - that access was denied, so i was unable to delete the folder.

Attached are the new logs.

chaslang · Oct 28, 2006

Did you use Pocket Killbox to delete all of the files last time? Or did you delete some of them manually? I only see the duce6.exe file in the Killbox backup folder which means that is the only file deleted by Killbox. You have a more stuff on this PC to delete.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. (if you don't see them running, look for similar type names especially for win3210xxxxxx.exe and Duce6.exe and Kill them if found.) Then click yes.

C:\WINDOWS\win3210-455325707.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PSCastor\PSCastor.exe
C:\WINDOWS\Duce6.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {D7AE8352-49C1-1B16-E380-606405F81BC2} - C:\WINDOWS\system32\gfsup.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {D7AE8352-49C1-1B16-E380-606405F81BC2} - C:\WINDOWS\system32\gfsup.dll (file missing)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [win3210-455325707] C:\WINDOWS\win3210-455325707.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [PSCastor] "C:\Program Files\PSCastor\PSCastor.exe"
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll

NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
"CMFibula"=-
"PSCastor"=-
"stonedrv"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"stonedrv"=-
"win3210-455325707"=-
"TheMonitor"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices]
"stonedrv"=-
Click to expand...

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Duce6.exe
C:\WINDOWS\srvcmecomy.exe
C:\WINDOWS\win3210-455325707.exe
C:\WINDOWS\ykoccsc.exe
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\system32\gfsup.dll
c:\windows\system32\stonedrv.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\CMFibula
C:\Program Files\PSCastor

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Owner\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

mlydell · Oct 29, 2006

chaslang said:

Did you use Pocket Killbox to delete all of the files last time? Or did you delete some of them manually? I only see the duce6.exe file in the Killbox backup folder which means that is the only file deleted by Killbox. You have a more stuff on this PC to delete.
Click to expand...

I did exactly what you said - no manual deletes unless you told me to. The only part that didnt go according to your instructions was what I listed - MediaTickets said it was already uninstalled, and I could not delete the PSCastor file.

On to your last post...

Once again, I got the BSOD right after I booted up - it happened when I was in HJT trying to kill the PSCastor process. I rebooted, and then was able to complete all your instructions. When I rebooted from Killbox, the error message didnt pop up this time.

Attached are the logs.

chaslang · Oct 31, 2006

mlydell said:

Once again, I got the BSOD right after I booted up - it happened when I was in HJT trying to kill the PSCastor process. I rebooted, and then was able to complete all your instructions. When I rebooted from Killbox, the error message didnt pop up this time.
Click to expand...

Something is not working correctly! Almost all of the files I asked you to fix with Pocket Killbox are still there. What version of Pocket Killbox are you running?

Please download and install the below program:

ExplorerXP

It is much better at showing ALL files than Windows Explorer and it is very easy to use. Run ExplorerXp and locate the below files and delete them using ExplorerXP. Tell me if you run into any problems deleting the below files (if found):

C:\WINDOWS\srvcmecomy.exe
C:\WINDOWS\win3210-455325707.exe
C:\WINDOWS\ykoccsc.exe
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\system32\gfsup.dll
c:\windows\system32\stonedrv.exe

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/speedtest2.dll]
Click to expand...

After deleting the above, attach a new log from ShowNew and HJT.

mlydell · Nov 15, 2006

Sorry for the delay - was out of town.

AS for what version of Killbox I'm running - it's 2.0.0.881 - the one that came from the link in your post.

I downloaded ExplorerXP and was able to find and delete all the files except for the last two - gfsup.dll and stonedrv.exe. They were not listed.

I did the registry fix, and have attached the new logs from ShowNew and HJT.

chaslang · Nov 16, 2006

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

help! Computer #2

mlydell Private First Class

mlydell Private First Class

Attached Files:

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

mlydell Private First Class

Attached Files:

mlydell Private First Class

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mlydell Private First Class

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mlydell Private First Class

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mlydell Private First Class

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mlydell Private First Class

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mlydell Private First Class

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member