2
Contributors
11
Replies
12
Views
10 Years
Discussion Span
Last Post by gerbil
0

heres my hijackthis log
\
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\fnbsxaaa.exe
C:\WINDOWS\System32\svehost.exe
C:\WINDOWS\System32\clcl3.exe
C:\WINDOWS\updater.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385475FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} (AppCaller Control) - http://www.bombndash.com/common/AppCaller.ocx
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

0

Hi. I'm going to assume that you have not run any tools yet; we'll fix a few things but then I will want you to post a new log - that one is missing its head...
First off, go into control panel, add/remove pgms, and uninstall Ipwins.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it. First off, make a quick check on your hosts file : go Tools, click Hosts File - in the notepad that opens the default is a hashed example followed by a valid hosts redirection line, 127.0.0.1 localhost
If there are no other such lines in the file then skip the Hoster instruction block below.

=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.

Close killbox for the mo.
Next, start hijackthis, do a Scan Only and place checkmarks against these entries that still exist, and press Fix Checked.

O4 - HKLM\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385475FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O16 - DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} (AppCaller Control) - http://www.bombndash.com/common/AppCaller.ocx
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab

Back into killbox - select "Delete on reboot", click the "all files" button.
>Copy the pathname in the following line into the textbox:-
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\System32\fnbsxaaa.exe
C:\WINDOWS\System32\svehost.exe
C:\WINDOWS\System32\clcl3.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\System32\xpkngpis.dll

In killbox, go File menu, choose Paste from clipboard. Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
Fine. Now, if the header of your hijackthis log does NOT contain this line: Logfile of HijackThis v1.99.1 - I want you to do this: download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it in place of your other Hijackthis.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.

0

here you go and thanks for the help
Logfile of HijackThis v1.99.1
Scan saved at 7:05:33 PM, on 4/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\hijackthis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe


once again thanks!!!!!!!!!!!!

0

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm

I think this one which has persisted after that fix we tried is a vundo beast. Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it, and click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will shutdown your computer - click OK.
Restart your computer and post the contents of C:\vundofix.txt
Rename Hijackthis.exe to bunny.exe and post a new HijackThis log. [dclick bunny.exe to start it...]

0

Meant to add, but forgot: you REALLY SHOULD update your windows to SP2 via the windows update service. It is for your security.... if you have trouble with download speeds then i think M$ will send you a cd for a couple of $....

0

the vundo log - VundoFix V6.3.20
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 5:32:50 PM 4/24/2007
Listing files found while scanning....
C:\WINDOWS\system32\dwihikib.dll
C:\WINDOWS\System32\efeeg.bak1
C:\WINDOWS\System32\efeeg.bak2
C:\WINDOWS\System32\efeeg.ini
C:\WINDOWS\System32\efeeg.ini2
C:\WINDOWS\System32\efeeg.tmp
C:\WINDOWS\system32\fdjnxrkl.dll
C:\WINDOWS\System32\geefe.dll
C:\WINDOWS\system32\hggghhf.dll
C:\WINDOWS\system32\lcukhhry.dll
C:\WINDOWS\System32\unocnrfr.dll
C:\WINDOWS\system32\vyngvspt.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dwihikib.dll
C:\WINDOWS\system32\dwihikib.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\efeeg.bak1
C:\WINDOWS\System32\efeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\efeeg.bak2
C:\WINDOWS\System32\efeeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\efeeg.ini
C:\WINDOWS\System32\efeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\efeeg.ini2
C:\WINDOWS\System32\efeeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\efeeg.tmp
C:\WINDOWS\System32\efeeg.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fdjnxrkl.dll
C:\WINDOWS\system32\fdjnxrkl.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\geefe.dll
C:\WINDOWS\System32\geefe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hggghhf.dll
C:\WINDOWS\system32\hggghhf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lcukhhry.dll
C:\WINDOWS\system32\lcukhhry.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vyngvspt.dll
C:\WINDOWS\system32\vyngvspt.dll Has been deleted!
Performing Repairs to the registry.
Done!

now the hijack this log - Logfile of HijackThis v1.99.1
Scan saved at 5:51:56 PM, on 4/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\bunny.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4959A7E4-149E-4BB2-8DF9-4C44CC39BB51} - C:\WINDOWS\System32\geefe.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

here you go and thank you for the help

0

===Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4959A7E4-149E-4BB2-8DF9-4C44CC39BB51} - C:\WINDOWS\System32\geefe.dll (file missing)
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm

-Now press Config button, Misc Tools tab and then Delete a File on Reboot; in the window which opens paste into the text box the following pathname, press Open and then Yes...

C:\WINDOWS\System32\xpkngpis.dll

===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.


===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

0

SDfix -

SDFix: Version 1.80
Run by Administrator - Sat 04/28/2007 - 19:40:54.76
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services: 



Modified mswsock.dll Found!
File Locations:
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\dllcache\mswsock.dll
Infected files:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\Documents and Settings\Administrator\Application Data\Install.dat - Deleted
C:\WINDOWS\odbc.INI - Deleted
C:\WINDOWS\system\bpmtcs32.dll - Deleted
C:\WINDOWS\system32\explore.exe - Deleted
C:\WINDOWS\system32\uvcx.exe - Deleted

Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                                 Final Check:
Remaining Services:
------------------


Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
                                 Finished




HiJackThis - 
Logfile of HijackThis v1.99.1
Scan saved at 7:48:24 PM, on 4/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\bunny.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4959A7E4-149E-4BB2-8DF9-4C44CC39BB51} - C:\WINDOWS\System32\geefe.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Thank You and Sorry for the slow replie

Edited by happygeek: fixed formatting

0

That soundservice one is playing tough. Okay, we'll direct Vundofix right to it.
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.

*****When the scan completes rclick inside the white text box, lclick the Add more files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\System32\xpkngpis.dll
C:\WINDOWS\System32\sipgnkpx.*

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Check the vundofix log to see if it detected and removed C:\WINDOWS\System32\xpkngpis.dll.
If it did not then:
- in a windows explorer folder > tools>folder options>view, and press Show hidden files and folders
- restart your pc in Safe mode:
[ if you would prefer to use a script to do this next task automatically use the instructions below the line..]
- start regedit, navigate to this key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- delete the entry in the right pane:
SoundService= "rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm"
- Now inside windows explorer navigate to and delete this file: C:\WINDOWS\System32\xpkngpis.dll.
Go back into normal mode, post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.
_______________________________________________________
..save this text below as SSRem.reg in a scratch folder, dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor.
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundService"= -

0

..save this text below as SSRem.reg in a scratch folder, dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor.
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundService"= -

i did all the vundo fix things and checked the log but i accidentally posted the two lines in the vundo fix twice

also i dont get what you mean when you save the text as....

what is a ssmreg.reg?

0

I would like to see that vundofix log, please. No matter that you doubled the pasting, but keep in mind that deletion of text is always an option.. :)
Explanation of the SSRem.reg file: This was an "automatic" way for you to remove a registry value, and meant merely to save you entering the registry and doing it manually as I had listed above in that post.
More clearly:
..save the text between the lines as SSRem.reg to a scratch folder [copy the text to a notepad and Save as SSRem.reg - select Save as type "All files"] , dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor.
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundService"= -
_________________________________

SSRem.reg is just a name i made up that had some meaning, for SoundService Removal. The .reg extension is recognised as a registry editor file type, meaning that execution will merge that instruction in the text with the registry. Any name will do as long as the extension is .reg -eg sosweet.reg

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.