0

My neighbor asked me to fix his computer because "its not working"

What I have discovered is that explorer.exe continually restarts itself every 10 seconds or so.
There is a main user name which has admin privileges however when you are logged in, "task manager has been disabled by the administrator" and "regedit has been disabled by the administrator". In the 10 seconds that I can have My Computer open, it doesn't show the C:\ drive. If I start in Safe Mode I can log into the Administrator account, but explorer still goes nuts.

I ran AdAware but it found nothing. I then ran ClamWin and Hijack this and this is what it gave back:

***********
ClamWin


***********

Scan Started Thu Sep 25 13:26:20 2008


-------------------------------------------------------------------------------

C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values: Permission denied


C:\hiberfil.sys: Permission denied


C:\pagefile.sys: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000003.FCS: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx: Permission denied


C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx: Permission denied


C:\WINDOWS\system32\config\default: Permission denied


C:\WINDOWS\system32\config\SAM: Permission denied


C:\WINDOWS\system32\config\SECURITY: Permission denied


C:\WINDOWS\system32\config\software: Permission denied


C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\User\Local Settings\Temp\removalfile.bat: Trojan.Bat.Delete-1 FOUND


C:\Documents and Settings\User\Local Settings\Temp\windns.exe: Trojan.Fraudload-804 FOUND


C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\HQI0UZV6\css4[1]: Trojan.Vundo-6722 FOUND


C:\Program Files\HPQ\Default Settings\CpqsetVer.exe: Trojan.Agent-14290 FOUND


C:\WINDOWS\erms.exe: Trojan.Zlob-7749 FOUND


C:\WINDOWS\evgratsm.dll: Trojan.Zlob-7416 FOUND


C:\WINDOWS\kgxmotapktx.dll: Trojan.Zlob-7401 FOUND


C:\WINDOWS\kvxqmtre.dll: Trojan.Zlob-8366 FOUND


C:\WINDOWS\qndsfmao.dll: Trojan.Zlob-7433 FOUND


C:\WINDOWS\system32\fccYSiGV.dll: Trojan.Vundo-7024 FOUND


C:\WINDOWS\system32\nnnNHYqn.dll: Trojan.Vundo-7024 FOUND


C:\WINDOWS\system32\qoMdBUKa.dll: Trojan.Vundo-6722 FOUND


C:\WINDOWS\system32\ssqnMETJ.dll: Trojan.Vundo-7024 FOUND


C:\WINDOWS\system32\xxyvuutq.dll: Trojan.Vundo-7024 FOUND


----------- SCAN SUMMARY -----------


Known viruses: 411202


Engine version: 0.94


Scanned directories: 8279


Scanned files: 56001


Infected files: 14

Data scanned: 19416.46 MB


Time: 13374.828 sec (222 m 54 s)


--------------------------------------


Completed


--------------------------------------

**************
Hijack This
**************
Logfile of HijackThis v1.99.1

Scan saved at 13:38: VIRUS ALERT!, on 9/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ClamWin\bin\ClamWin.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\ClamWin\bin\clamscan.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

F:\hijackthis_sfx.exe

F:\HijackThis\HijackThis.exe

C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll

O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [F5D9010] C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [INTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab

O20 - AppInit_DLLs: WIKI.DLL

O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll

O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll

O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll

O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

6
Contributors
41
Replies
42
Views
9 Years
Discussion Span
Last Post by gerbil
Featured Replies
  • 1

    I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked. O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - … Read More

  • 1

    You're doing fine. This should solve the redirection problem: Use hijackthis to fix these two entries: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2[/url] O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Delete this file: C:\WINDOWS\privacy_danger\index.htm To make things a bit easier, instead of using explorer [it is only a … Read More

  • 1

    Hello weasel... Okay, thanks...lessee, do you have this file by any chance?: C:\Windows\System32\Drivers\tdssserv.sys -delete it. There may be others like this: C:\Windows\System32\tdsss?.dll ..where the ? represents other letters. ==Download SDFix from here: [url]http://downloads.andymanchesta.com/RemovalTools/SDFix.exe[/url] and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which … Read More

  • 1

    Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that … Read More

0

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Post also a fresh hijackthis [your version is obsolete!!] log with your comments:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

A note... if you dl MBAM to somewhere easy to find you can start it from Task Manager > File > New Task >... Enter mbam-setup.exe

0

Hello, can anyone please tell me how to analyze Hijackthis or Smitfraud softwares?

Start your own thread.


When I get home from class today I will run the antivirus and HT and post the logs. Thanks for your help.

0

I downloaded both exe files 2 seperate times and tried executing each of them, however the computer will not execute them. When I double click or if I do the run command on them it gives me the hourglass for a second then nothing.

1

I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll
O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

Now delete these files... if they put up a fight I can give you a tool to do it with, else you can delete them from Safe Mode.

C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\system32\WIKI.DLL -this one may be in the windows folder if not here.

The deleter...Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Once those files are gone try again to run MBAM and the new version of hijackthis. If they still cannot run from the dl'd files, Run them from the dl site instead [Hijackthis will give you a warning about running from a temp folder, but proceed anyway].
Good luck.

0

Hey the best way to get rid of trojans is to go on the computer. go to google.com. type in windows one care. download the three month free trail. it takes a while because of the trojans. After installing the program do a complete i mean complete virus and spyware scan. microsoft created the program very trustworthy. i got rid of 9 trojans on a friends computer. the windows one car pretty much takes care of it. let me know if it works.
love and peace
Marik S.

0

This virus is a pain in the butt. I deleted all the files, in the 15 seconds that I could open explorer to get to the folder to delete them, one by one, it took about 10 minutes.

Then anytime I try to download or go to certain sites (pretty much any site that has anything remotely to do with removing viruses/malware/etc.) it flips out and tells me the site "may be unsecure" Its really annoying me.
edit: What I mean by "flips out" is it takes me to a seperate IE page that says the site may not be securre and reloads it every microsecond on an infinite loop until I close the tab or click back. Thus preventing me from getting to the download.

Anyway I deleted those files except the WIKI file because I couldnt find it. I ran a hijack this and ill post the findings in a new post. So I tried rerunning malwarebyte's program but still the same result. I have searched on the net but there is a hijacker program infecting the internet searches, because anytime i do a google search the result links to another random search engine. I also tried installing firefox to see if it was just an IE thing but it wont let me RUN firefox. So I am not sure what to do now.

0

Here's the hijack this log for after I removed the dll files.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:29: VIRUS ALERT!, on 9/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\ClamWin\bin\freshclam.exe

C:\Program Files\Internet Explorer\iexplore.exe

H:\Help\HiJackThis.exe

C:\WINDOWS\explorer.exe

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\OPC\{31011D49-D90C-4DA0-878B-78D28AD507AF}\SSAUTORN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [F5D9010] C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdash/DinerDash.1.0.0.93.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 10684 bytes

0

hey try what i said earlier. i'm not sure if it's the best way but i can promise it will remove the trojans but also after installation the computer will restart and then you start deleting. try it out. let me know

1

You're doing fine. This should solve the redirection problem:
Use hijackthis to fix these two entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Delete this file:
C:\WINDOWS\privacy_danger\index.htm

To make things a bit easier, instead of using explorer [it is only a UI] use Task Manager instead.... even without your explorer running you can start it with Ctrl-Alt-Del. Then go Files > New Task[Run] and paste in:
H:\Help\HiJackThis.exe
To delete that file, run instead:
cmd
..and paste into the cmd window:
del /f C:\WINDOWS\privacy_danger\index.htm
Now try with a freshly dl'd copy of MBAM [or Run from the dl site]. Only if that will not work then do this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Important! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

0

Does it matter whether I am in safe mode to do these things? Because thats the only way I can get to the task manager through the administrator username. Its blocked in normal mode under the only user.

0

I ran hijack again but I couldnt find the privacy_danger\index.htm. There is a folder called privacy_danger but it doesnt include the index.htm file. However I am still having no luck with executing new files. Some files I can execute, I installed firefox yesterday, however any of these files I have downloaded that pertain to viruses are not executing, whether i run the from the msdos command prompt, run, or double clicking.

PS I appreciate all your help, gerbil.

Kingside7000 i tried your way, however IE wont let me get to any pages referring to that program, so I cant download it.

0

Weasel, I'd like to see the contents of a couple of reg keys...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg query "HKCU\Software\Microsoft\Internet Explorer\Main" >C:\showkey.txt
reg query "HKCU\Software\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
start C:\showkey.txt
pause

If showkey.txt is long please attach the file to your next post.

Delete that directory, privacy_danger. This will do it [see if TM works in normal mode now]:
Go TM, Run cmd, then paste in the window:
rmdir /s /q C:\WINDOWS\privacy_danger

Let's see if these are blocked - first clean, then do the scan [and Safe Mode with Networking is fine, if needs be]:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.

0

When I tried to delete privacy_danger under administrator it said Access is Denied

I have attatched the showkey file

I ran cleaner on both accounts with no problem.

However (yes another problem) when I went to the pandasecurity site the security warning bar refuses to show itself so that I can install and run the active scan 2.0

My internet security options are set to medium.

0

In case the last post didn't attach it here;s the showkey file.

Attachments
! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    NoUpdateCheck	REG_DWORD	0x1
    NoJITSetup	REG_DWORD	0x1
    Disable Script Debugger	REG_SZ	yes
    Show_ChannelBand	REG_SZ	No
    Anchor Underline	REG_SZ	yes
    Cache_Update_Frequency	REG_SZ	Once_Per_Session
    Display Inline Images	REG_SZ	yes
    Do404Search	REG_BINARY	01000000
    Local Page	REG_SZ	C:\WINDOWS\system32\blank.htm
    Save_Session_History_On_Exit	REG_SZ	no
    Show_FullURL	REG_SZ	no
    Show_StatusBar	REG_SZ	yes
    Show_ToolBar	REG_SZ	yes
    Show_URLinStatusBar	REG_SZ	yes
    Show_URLToolBar	REG_SZ	yes
    Start Page	REG_SZ	http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    Use_DlgBox_Colors	REG_SZ	yes
    Search Page	REG_SZ	http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    FullScreen	REG_SZ	no
    Enable Browser Extensions	REG_SZ	yes
    Error Dlg Displayed On Every Error	REG_SZ	no
    Search Bar	REG_SZ	http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    Use Custom Search URL	REG_DWORD	0x1
    CompatibilityFlags	REG_DWORD	0x0
    SearchMigrated	REG_DWORD	0x1
    Window_Placement	REG_BINARY	2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000200300003A020000

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard
    ShellNext	REG_SZ	http://www.update.microsoft.com/microsoftupdate/
    Completed	REG_BINARY	01000000

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    Default_Page_URL	REG_SZ	http://go.microsoft.com/fwlink/?LinkId=69157
    Default_Search_URL	REG_SZ	http://go.microsoft.com/fwlink/?LinkId=54896
    Search Page	REG_SZ	http://go.microsoft.com/fwlink/?LinkId=54896
    Enable_Disk_Cache	REG_SZ	yes
    Cache_Percent_of_Disk	REG_BINARY	0A000000
    Delete_Temp_Files_On_Exit	REG_SZ	yes
    Local Page	REG_EXPAND_SZ	%SystemRoot%\system32\blank.htm
    Anchor_Visitation_Horizon	REG_BINARY	01000000
    Use_Async_DNS	REG_SZ	yes
    Placeholder_Width	REG_BINARY	1A000000
    Placeholder_Height	REG_BINARY	1A000000
    Start Page	REG_SZ	http://go.microsoft.com/fwlink/?LinkId=69157
    CompanyName	REG_SZ	Microsoft Corporation
    Custom_Key	REG_SZ	MICROSO
    Wizard_Version	REG_SZ	6.0.2600.0000
    FullScreen	REG_SZ	no
    Check_Associations	REG_SZ	yes
    Default_Secondary_Page_URL	REG_MULTI_SZ	\0
    Extensions Off Page	REG_SZ	about:NoAdd-ons
    Security Risk Page	REG_SZ	about:SecurityRisk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Connection Wizard
    Version	REG_SZ	5.00
    InstallationDirectory	REG_EXPAND_SZ	"%ProgramFiles%\Internet Explorer\Connection Wizard"
    CanInstallISPKit5	REG_SZ	yes
    Release Product	REG_SZ	NT
    Release Product Version	REG_SZ	5.0
    Default Product Code	REG_SZ	NT5
0

Nothing shows as bad in that file.. thanks. Did Combofix not work? What happens if you dl the file using another computer to a thumbdrive, drag it onto your desktop and then dclick the icon there?
And did you try the Panda scan using Firefox [which does not use ActiveX]?
Does TM work in normal mode now?
Anyway, try this in a cmd window in Safe mode: rmdir /S C:\WINDOWS\privacy_danger
And if that will not delete the directory run through it file by file with this tool [normal mode or safe]:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

0

I was able to delete privacy danger with unlocker

Combofix still doesnt work.
I have been running the file from the thumbdrive and I tried draggng to the desktop

TM still does not work in normal mode and I cant run firefox.

0

Combofix is now configured so that it will only run from the desktop.
Re the Panda scan and "the security warning bar refuses to show itself" just check in IE options that "Download signed ActiveX controls" is set to Prompt.

0

Download signed ActiveX controls is set to prompt, still wont show up.
And I tried running combofix and also spybot search and destroy from the desktop as well as from the flash drive. Nothing has worked. I still get the hourglass for a split second and then nothing.

0

What happens if you use TM to stop the explorer.exe process, and then use it to start one of your problem .exe pgms? You can try this in Safe mode.

0

More, weasel... fix your exe associations keys in registry with this reg file:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
0

Ill try and do that tomorrow morning before classes. Thanks gerbil.

0

Ok. I killed explorer.exe then tried to run the files, still didnt work.

Then I ran the regfix file, which was successful. Then I moved the files I wanted to run to the desktop and tried to run them, still no luck. I also tried running from the flash drive afterwards, same result.

1

Hello weasel... Okay, thanks...lessee, do you have this file by any chance?:
C:\Windows\System32\Drivers\tdssserv.sys
-delete it. There may be others like this:
C:\Windows\System32\tdsss?.dll ..where the ? represents other letters.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=You must restart your computer in Safe Mode:
- Log in by using the Administrator account.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

0

Dont have any of those files.

Same issue with SDFix as with other exe files.

0

It cannot be policy blocking the exes from running because you would get a warning about it, although you could check in the Event Viewer [under admin tools], Software, to see if there have been any block events. I cannot figure what could block some system exes like sfc.exe, but not regedit.exe; still allow you to run some third party software app exes, eg.? CCleaner, Unlocker but not others such as those I have requested or activeX's. How did Clam get by it? There must be a blacklist file of exes in your sys in some malware....
In the zipped file is a list of "cohort" files that are associated with the trojans you had. Just open a cmd window and paste in each of the two lines, making sure wordwrap is not checked in notepad.
And if that does not help then perhaps there is nothing for it but to follow one of two restoration plans depending on whether the pc has valuable data/files/applications.
If it does then the aim would be to Repair windows, which would keep all data and most applications intact, including any malware which could simply break the new installation.
Copying off data is an option, with fingers crossed that the problem is not due to a worm or virus.
Reinstalling windows without a formatting of the partition would expose the new OS to the same risk.
Personally, I'd go for the Repair cos it takes but an hour or so. It's always possible that this is just a sys problem... pity no-one else has dropped in with some ideas.

Attachments
0

One other thing I didnt mention, is that the next to the clock on the start bar, it says VIRUS ALERT. I will try the zip file and if that doesnt work ill tell my neighbor he may have to just shell out 200 bucks and take it to best buy.

0

VIRUS ALERT!... yeah, weasel, I did notice that the header of your Hijackthis log was modified to include that [your sys clock has been affected]. Virus Alert! is relatively easy to fix, our problem is something that came in alongside it and appears to have blacklisted a lot of removal tools which would remove Virus Alert and perhaps this other infection.
Let's try this now:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Immediately rename the file to SMFix.zip, then extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and rename smitfraudfix.cmd to SMFix.cmd; double-click SMFix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
or here: http://www.bleepingcomputer.com/resources/link252.html
and save it to your desktop. Rename SDFix.exe to MySD.exe; dclick MySD.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Please clean with CCleaner.
=You MUST restart your computer in Safe Mode.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
May get thru the gate, may not.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.