0

My computer is spammed with viruses and adware. I can't type 3-4 sentences without a pop-up coming up.

This is my HijackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:12 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S16AF.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\wcuqybjw.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GrooveSystemServices.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4109 bytes

+ I keep getting a message in the corner
Explorer.exe
(cant remember exactly)The file kjkjj.ini2 is corrupt or invalid, please run the ChkDsk utility.

And i keep getting C, C++ runtime errors

Please Help

Thanks in Advance

3
Contributors
10
Replies
11
Views
10 Years
Discussion Span
Last Post by crunchie
0

a bot of extra info,

I have autoruns at startup so maybe all the stuff won't be there.
I have Zone Alarm Internet Security Suite, Ad-aware and Spybot S-D (Ad-aware and spybot search and destroy don't load up when i click the item)

0

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

0

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

VundoFix freezes on my computer,
i have vuruses which have been found in Documents/Shared/_ /
there are 1000s inside there
but im unable to delte them, how do i delete them.

Im downloading AVG anit-spyware and anti-virus, im going to run all of my software

0

I'm only posting here cos Crunchie oughta be in bed asleep atm...
Give Vundifix a chance.. if it freezes restart it, try a few times, checking to see if you get a report. If it reports files and is unable to delete any, rerun it until it does.
And if you must do another AV scan, don't get AVG AV cos you already have a resident AV service - they will conflict. Instead may I suggest Panda Online Scan?
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here. I'm backing out now before the master returns...

0

I finally got VundoFix to run

This is the log:


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:46:25 AM 9/21/2007

Listing files found while scanning....


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:40:32 PM 9/21/2007

Listing files found while scanning....


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:33:17 PM 9/22/2007

Listing files found while scanning....


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:52:33 PM 9/22/2007

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:39:18 AM 9/29/2007

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:33:37 PM 9/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\awwasnfw.dll
C:\windows\system32\ewexytws.ini
C:\windows\system32\gjkkj.bak1
C:\windows\system32\gjkkj.ini
C:\windows\system32\jkkjg.dll
C:\WINDOWS\system32\jkklkki.dll
C:\windows\system32\mljji.dll
C:\windows\system32\mljjk.dll
C:\WINDOWS\system32\nxipjhew.dll
C:\windows\system32\pmkhi.dll
C:\windows\system32\pmnlm.dll
C:\windows\system32\sptll.dll
C:\windows\system32\ssqpp.dll
C:\windows\system32\sstqo.dll
C:\windows\system32\sstqp.dll
C:\windows\system32\ssttr.dll
C:\windows\system32\ssttu.dll
C:\windows\system32\swtyxewe.dll
C:\windows\system32\ZoneLabs\zlqrtdb.dat

Beginning removal...

Attempting to delete C:\windows\system32\ewexytws.ini
C:\windows\system32\ewexytws.ini Has been deleted!

Attempting to delete C:\windows\system32\gjkkj.bak1
C:\windows\system32\gjkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\gjkkj.ini
C:\windows\system32\gjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkjg.dll
C:\windows\system32\jkkjg.dll Has been deleted!

Attempting to delete C:\windows\system32\mljji.dll
C:\windows\system32\mljji.dll Has been deleted!

Attempting to delete C:\windows\system32\mljjk.dll
C:\windows\system32\mljjk.dll Has been deleted!

Attempting to delete C:\windows\system32\pmkhi.dll
C:\windows\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\windows\system32\pmnlm.dll
C:\windows\system32\pmnlm.dll Has been deleted!

Attempting to delete C:\windows\system32\sptll.dll
C:\windows\system32\sptll.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqpp.dll
C:\windows\system32\ssqpp.dll Has been deleted!

Attempting to delete C:\windows\system32\sstqo.dll
C:\windows\system32\sstqo.dll Has been deleted!

Attempting to delete C:\windows\system32\sstqp.dll
C:\windows\system32\sstqp.dll Has been deleted!

Attempting to delete C:\windows\system32\ssttr.dll
C:\windows\system32\ssttr.dll Has been deleted!

Attempting to delete C:\windows\system32\ssttu.dll
C:\windows\system32\ssttu.dll Has been deleted!

Attempting to delete C:\windows\system32\swtyxewe.dll
C:\windows\system32\swtyxewe.dll Has been deleted!

Attempting to delete C:\windows\system32\ZoneLabs\zlqrtdb.dat
C:\windows\system32\ZoneLabs\zlqrtdb.dat Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\ZoneLabs\zlqrtdb.dat
C:\windows\system32\ZoneLabs\zlqrtdb.dat Has been deleted!

Performing Repairs to the registry.
Done!

and this is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:43 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/customize/ycomp/defaults/sb/*http://uk.docs.yahoo.com/info/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {32DA6AE7-F223-4C7E-9957-2A4D88DEFBD9} - (no file)
O2 - BHO: (no name) - {64D68F5B-A5C3-4C4B-B6DE-C85D3FA5893C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {85880F59-485A-474D-9955-915EC345316C} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E92D927F-A84A-47D5-9162-5C84ABD7D6CF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O2 - BHO: (no name) - {F8AA25A6-64A8-434A-BFD7-AF48B76262FB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S16AF.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GrooveSystemServices.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: jkklkki - jkklkki.dll (file missing)
O20 - Winlogon Notify: mljgh - C:\WINDOWS\
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\klcdexxl.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6858 bytes

0

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {32DA6AE7-F223-4C7E-9957-2A4D88DEFBD9} - (no file)
O2 - BHO: (no name) - {64D68F5B-A5C3-4C4B-B6DE-C85D3FA5893C} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {85880F59-485A-474D-9955-915EC345316C} - (no file)
O2 - BHO: (no name) - {E92D927F-A84A-47D5-9162-5C84ABD7D6CF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O2 - BHO: (no name) - {F8AA25A6-64A8-434A-BFD7-AF48B76262FB} - (no file)

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: jkklkki - jkklkki.dll (file missing)
O20 - Winlogon Notify: mljgh - C:\WINDOWS\

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\klcdexxl.exe (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
0

hi thanks the comp is running much better now

This is the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:09 AM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1191103640\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S16AF.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191103640\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)


This is the SDFix log:



SDFix: Version 1.107


Run by Suhail Aslam on Sun 09/30/2007 at 11:01 AM


Microsoft Windows XP [Version 5.1.2600]


Running From: C:\SDFix


Safe Mode:
Checking Services:


Name:
core


ImagePath:
system32\drivers\core.sys


core - Deleted


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...



Normal Mode:
Checking Files:


Trojan Files Found:


C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\WINDOWS\b104.exe  - Deleted
C:\WINDOWS\b136.exe  - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk  - Deleted
C:\WINDOWS\system32\drivers\core.sys  - Deleted


Removing Temp Files...


ADS Check:


C:\WINDOWS
No streams found.


C:\WINDOWS\system32
No streams found.


C:\WINDOWS\system32\svchost.exe
No streams found.


C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:


Remaining Services:
------------------



Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\ASMonitor\\ASMonitor.exe"="C:\\Program Files\\ASMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Documents and Settings\\Suhail Aslam.ASLAM.000\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Suhail Aslam.ASLAM.000\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\pqxnfbfp.exe"="C:\\WINDOWS\\system32\\pqx"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\WINDOWS\\system32\\oksvdhul.exe"="C:\\WINDOWS\\system32\\oks"
"C:\\WINDOWS\\system32\\aagjplkc.exe"="C:\\WINDOWS\\system32\\aag"
"C:\\WINDOWS\\system32\\jqstclwv.exe"="C:\\WINDOWS\\system32\\jqs"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\WINDOWS\\system32\\klcdexxl.exe"="C:\\WINDOWS\\system32\\klc"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"


Remaining Files:
---------------


File Backups: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:


Tue 11 Jul 2006     2,711,422 A..H. --- "C:\Downloads\bitcomet_setup.exe"
Thu 18 Mar 2004        54,384 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Thu 18 Mar 2004       156,784 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Thu 18 Mar 2004        31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Wed 13 Oct 2004     1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 12 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 17 Sep 2007         6,518 A.SH. --- "C:\WINDOWS\SYSTEM32\kjkkj.tmp"
Tue 18 Sep 2007         6,448 A.SH. --- "C:\WINDOWS\SYSTEM32\klkkj.tmp"
Mon 22 Aug 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 25 Mar 2007       179,200 ...H. --- "C:\Documents and Settings\Roohi  Aslam\My Documents\~WRL0003.tmp"
Mon  5 Feb 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 23 Feb 2007        13,202 ...H. --- "C:\Documents and Settings\Aslam and Afshan\My Documents\Letters\~WRL0003.tmp"
Thu 27 Jul 2006     3,457,024 A..H. --- "C:\Documents and Settings\Man U rulz\igLoader Files\MasterKickMiniClip\MasterKickMiniClip.exe"
Mon  7 May 2007        65,439 ...H. --- "C:\Documents and Settings\Roohi  Aslam\My Documents\exams\~WRL3576.tmp"
Sat 13 Nov 2004        37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 29 Sep 2007         1,468 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Thu 31 Aug 2006           444 ...HR --- "C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\SecuROM\UserData\securom_v7_01.bak"
Thu 26 Apr 2007             8 A..H. --- "C:\Documents and Settings\Man U rulz\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 26 Apr 2007             8 A..H. --- "C:\Documents and Settings\Man U rulz\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 26 Apr 2007             8 A..H. --- "C:\Documents and Settings\Man U rulz\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 26 Apr 2007             8 A..H. --- "C:\Documents and Settings\Man U rulz\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"


Finished!


--
End of file - 6682 bytes


one more thing, i don't know if you can help me on this.


im in the UK on AOL
My router a Netgear DG834G says im getting 7616kbps down and 448 kbps up
but on speed checks i get around 988 kbps down and 112 kbps up
i have a wireless network with 2 Win XP home (a desktop and a laptop) and a laptop with Win Vista Home Premium

Thanks again it is much better

i though as u r so good at comps

Edited by happygeek: fixed formatting

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\oksvdhul.exe
C:\WINDOWS\system32\aagjplkc.exe
C:\WINDOWS\system32\jqstclwv.exe
C:\WINDOWS\system32\klcdexxl.exe

0

I am unable to run the online anti-virus thing

And the reason for that was?? I need to know what those files are, so you will have to keep attemting to upload them.
You can also right click on those files and go into properties and post all the relevant information you can find.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.