1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hijackthis log please help!!!

Discussion in 'Windows - Virus and spyware problems' started by drluv, Jul 3, 2007.

  1. drluv

    drluv Regular member

    Joined:
    Apr 2, 2005
    Messages:
    130
    Likes Received:
    0
    Trophy Points:
    26
    hey guys, i'm trying to help my friends spyware virus and adware issue, just looking at it im sure this is going to be a huge process,
    he dosnt want to re-install windows, and so we have to clean this up,
    i really appreciate any help i can get, thanks in advance!

    ----------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 3:18:19 AM, on 7/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
    C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
    C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
    C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpamBlockerUtility\SBTV\SBTV.exe
    C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbSrv.exe
    C:\Documents and Settings\HP_Owner\Desktop\HiJackThis_v2.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    R3 - URLSearchHook: (no name) - {7060354D-7B98-5515-24B6-0BA3D3C3F89E} - MSTCPDLL.dll (file missing)
    R3 - URLSearchHook: (no name) - {B4A66CC7-2304-B56E-910B-7F2EFC6D5833} - init32.dll (file missing)
    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {23704188-154e-4c58-9e3b-f05a6127c816} - C:\WINDOWS\system32\esenspi.dll
    O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)
    O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107D98AE75760EA83FA5EF80752B9499803B2A2303766A - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\spamblockerutility\sbtv\sbtvhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NsCplTray] Shaitan1678.exe
    O4 - HKLM\..\Run: [backd] iehelper.exe
    O4 - HKLM\..\Run: [MNTP] syspanel.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157749087\ee\AOLHostManager.exe
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
    O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
    O4 - HKLM\..\Run: [dbxiklvx] C:\WINDOWS\system32\xlztddwr.exe
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT2:" /M "Stylus CX3800"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [syspanel] control64.exe
    O4 - HKCU\..\Run: [PrcIdle] backd.exe
    O4 - HKCU\..\Run: [Bogobot] Kargo.exe
    O4 - HKCU\..\Run: [stuffmon] hyandex.exe
    O4 - HKCU\..\Run: [wormexe] scanSYS.exe
    O4 - HKCU\..\Run: [slamm] killall.exe
    O4 - HKCU\..\Run: [jiyaaaaa] C:\WINDOWS\system32\jiyaaaaa.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131734823425
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3C50C77A-78D6-49BE-B7DE-5AD0E9D598EE}: NameServer = 85.255.113.108,85.255.112.197
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2A6668-B27C-4154-BEB8-D27083C9E51C}: NameServer = 85.255.113.108,85.255.112.197
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FDBD5C28-A945-4C93-81C1-4E28EE8BCB0C}: NameServer = 85.255.113.108,85.255.112.197
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.197
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3C50C77A-78D6-49BE-B7DE-5AD0E9D598EE}: NameServer = 85.255.113.108,85.255.112.197
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.197
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: esenspi - C:\WINDOWS\SYSTEM32\esenspi.dll
    O20 - Winlogon Notify: URL - C:\WINDOWS\system32\hzp95en.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS (fsbwsys) - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O24 - Desktop Component 0: Security - C:\WINDOWS\desktop.html

    --
    End of file - 16091 bytes
     
  2. Baabiouz

    Baabiouz Regular member

    Joined:
    Feb 18, 2006
    Messages:
    400
    Likes Received:
    0
    Trophy Points:
    26
    Hi!

    Please download FixWareout from one of these mirrors:
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
    http://downloads.subratam.org/Fixwareout.exe


    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
    ___________________________

    Please download Combofix to your desktop.
    Doubleclick combo.exe to launch the application.
    Follow the prompts that will be displayed on the screen.
    Don't click on the window while the fix is running, because that will cause your system to hang.
    When finished, it should produce a log, combofix.txt.
    Post this log in your next reply together with a new hijackthislog.

    Post HijackThis log, Cobmbofix log and FixWareout log
     
  3. drluv

    drluv Regular member

    Joined:
    Apr 2, 2005
    Messages:
    130
    Likes Received:
    0
    Trophy Points:
    26
    ComboFix.txt:

    "HP_Owner" - 2007-07-10 17:28:21 - ComboFix 07-07-10.1 - Service Pack 2


    (((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\clsid\{A0F4C358-CF7D-465A-8699-CA656E72AA6B}]
    @=""
    "IDEx"="ADDR"

    [HKEY_CLASSES_ROOT\clsid\{A0F4C358-CF7D-465A-8699-CA656E72AA6B}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{A0F4C358-CF7D-465A-8699-CA656E72AA6B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{A0F4C358-CF7D-465A-8699-CA656E72AA6B}\InprocServer32]
    @="C:\\WINDOWS\\system32\\hzp95en.dll"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    Granting SeDebugPrivilege to Administrators ... successful


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\vtutt.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\deskbar.exe
    C:\Installer3.exe
    C:\Program Files\deskbar
    C:\Program Files\deskbar\about.html
    C:\Program Files\deskbar\basis.xml
    C:\Program Files\deskbar\deskbar.crc
    C:\Program Files\deskbar\deskbar.dll
    C:\Program Files\deskbar\deskbar.inf
    C:\Program Files\deskbar\icons.bmp
    C:\Program Files\deskbar\inst.bat
    C:\Program Files\deskbar\mbback.bmp
    C:\Program Files\deskbar\mbbigopen.bmp
    C:\Program Files\deskbar\mbclose.bmp
    C:\Program Files\deskbar\mbfwd.bmp
    C:\Program Files\deskbar\mblogo.bmp
    C:\Program Files\deskbar\mbsep.bmp
    C:\Program Files\deskbar\options.html
    C:\Program Files\deskbar\softomate.gif
    C:\Program Files\deskbar\version.txt
    C:\Program Files\winantispyware 2006 scanner
    C:\Program Files\winantispyware 2006 scanner\Activate.dat
    C:\Program Files\winantispyware 2006 scanner\AsAgents.dll
    C:\Program Files\winantispyware 2006 scanner\AsAgents.xml
    C:\Program Files\winantispyware 2006 scanner\bnlink.dat
    C:\Program Files\winantispyware 2006 scanner\database\appupdate.dat
    C:\Program Files\winantispyware 2006 scanner\database\AutoProcess.dat
    C:\Program Files\winantispyware 2006 scanner\database\dbupdate.dat
    C:\Program Files\winantispyware 2006 scanner\database\enemies.dat
    C:\Program Files\winantispyware 2006 scanner\database\knownfiles.dat
    C:\Program Files\winantispyware 2006 scanner\database\monstate.dat
    C:\Program Files\winantispyware 2006 scanner\database\PortSpec.ats
    C:\Program Files\winantispyware 2006 scanner\database\quaratine.dat
    C:\Program Files\winantispyware 2006 scanner\database\RTMonitor.dat
    C:\Program Files\winantispyware 2006 scanner\database\Summary.dat
    C:\Program Files\winantispyware 2006 scanner\database\tasks.dat
    C:\Program Files\winantispyware 2006 scanner\database\TEBase.dat
    C:\Program Files\winantispyware 2006 scanner\database\threatnet.dat
    C:\Program Files\winantispyware 2006 scanner\diagnosis.dat
    C:\Program Files\winantispyware 2006 scanner\errors.log
    C:\Program Files\winantispyware 2006 scanner\InstHelp.exe
    C:\Program Files\winantispyware 2006 scanner\lapv.dat
    C:\Program Files\winantispyware 2006 scanner\license.rtf
    C:\Program Files\winantispyware 2006 scanner\manual.url
    C:\Program Files\winantispyware 2006 scanner\pv.dat
    C:\Program Files\winantispyware 2006 scanner\scanlog.xml
    C:\Program Files\winantispyware 2006 scanner\shellext.dll
    C:\Program Files\winantispyware 2006 scanner\shellext.xml
    C:\Program Files\winantispyware 2006 scanner\sr.log
    C:\Program Files\winantispyware 2006 scanner\support.url
    C:\Program Files\winantispyware 2006 scanner\unins000.dat
    C:\Program Files\winantispyware 2006 scanner\unins000.exe
    C:\Program Files\winantispyware 2006 scanner\update.log
    C:\Program Files\winantispyware 2006 scanner\updater.dat
    C:\Program Files\winantispyware 2006 scanner\Updater.exe
    C:\Program Files\winantispyware 2006 scanner\uwas6chk.dll
    C:\Program Files\winantispyware 2006 scanner\uwasffNT.exe
    C:\Program Files\winantispyware 2006 scanner\vbpv.dat
    C:\Program Files\winantispyware 2006 scanner\was6.dmp
    C:\Program Files\winantispyware 2006 scanner\was6.exe
    C:\Program Files\winantispyware 2006 scanner\WAS6.url
    C:\Program Files\winantispyware 2006 scanner\was6.xml
    C:\WINDOWS\newname.dat


    ((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


    2007-07-10 17:28 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-10 17:17 9,701 --a------ C:\dnsbak.reg


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-10 04:28:05 9,712 ----a-w C:\DOCUME~1\HP_Owner\APPLIC~1\wklnhst.dat
    2007-06-27 22:21:22 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\SpamBlockerUtility
    2007-06-14 05:37:03 -------- d-----w C:\Program Files\PokerStars
    2007-06-11 09:09:00 -------- d-----w C:\Program Files\Full Tilt Poker
    2007-06-11 09:05:52 4 ---ha-w C:\ajspu.sys
    2007-06-11 09:05:49 -------- d-----w C:\Program Files\JetSetPoker
    2005-12-21 16:22:10 557,108 --sh--w C:\WINDOWS\system32\geeba.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    2006-08-24 18:37 439872 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2001-04-16 17:39 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23704188-154e-4c58-9e3b-f05a6127c816}]
    2006-05-24 06:02 23040 --a------ C:\WINDOWS\system32\esenspi.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31677ADF-17D9-5516-E17D-3E459D631863}]
    C:\WINDOWS\system\bplctw32.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]
    C:\WINDOWS\system32\ipv6mote.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B18DD50-C996-44fc-AC52-0FECFF82ED58}]
    2006-06-21 16:08 118784 --a------ c:\program files\spamblockerutility\sbtv\sbtvhelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    2005-08-17 10:40 181752 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74CC49F7-EB32-4A08-B204-948962A6E3DB}]
    2006-11-09 09:07 546440 --a------ C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
    2005-08-02 13:41 524288 --a------ C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
    "HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" []
    "KBD"="C:\HP\KBD\KBD.EXE" []
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
    "VTTimer"="VTTimer.exe" []
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
    "SoundMan"="SOUNDMAN.EXE" [2004-07-29 02:40 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-07-29 03:34 C:\WINDOWS\ALCWZRD.EXE]
    "Alcmtr"="ALCMTR.EXE" [2004-07-20 19:22 C:\WINDOWS\ALCMTR.EXE]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
    "F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" []
    "F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" []
    "F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" []
    "News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" []
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
    "NsCplTray"="Shaitan1678.exe" []
    "backd"="iehelper.exe" []
    "MNTP"="syspanel.exe" []
    "HostManager"="C:\Program Files\Common Files\AOL\1157749087\ee\AOLHostManager.exe" []
    "AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" []
    "SpamBlocker"="C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe" []
    "Spam Blocker for Outlook Express"="C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe" []
    "WeatherOnTray"="C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\Program Files\AIM\aim.exe" []
    "ares"="C:\Program Files\Ares\Ares.exe" []
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06]
    "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" []
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
    "Acme.PCHButton"="C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "syspanel"="control64.exe" []
    "PrcIdle"="backd.exe" []
    "Bogobot"="Kargo.exe" []
    "stuffmon"="hyandex.exe" []
    "wormexe"="scanSYS.exe" []
    "slamm"="killall.exe" []
    "jiyaaaaa"="C:\WINDOWS\system32\jiyaaaaa.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegedit"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\WINDOWS\desktop.html
    FriendlyName= Security

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{1230649B-B980-44A5-B259-9B09EBEA6331}"="C:\Program Files\WinAntiSpyware 2006 Scanner\shellext.dll" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\esenspi]
    esenspi.dll 2006-05-24 06:02 23040 C:\WINDOWS\system32\esenspi.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=


    Contents of the 'Scheduled Tasks' folder
    2007-07-10 00:05:26 C:\WINDOWS\tasks\Scheduled scanning task.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-10 17:33:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-10 17:34:54 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-10 17:34

    --- E O F ---

    FixwareoutLog

    Username "HP_Owner" - 07/10/2007 17:17:05 [Fixwareout edited 2007/07/05]

    »»»»»Prerun check
    HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmcgo"
    HKLM\SOFTWARE\~\Winlogon\ "System"="csrqy.exe"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver"="85.255.113.108 85.255.112.197" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3C50C77A-78D6-49BE-B7DE-5AD0E9D598EE}
    "nameserver"="85.255.113.108,85.255.112.197" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7B2A6668-B27C-4154-BEB8-D27083C9E51C}
    "nameserver"="85.255.113.108,85.255.112.197" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FDBD5C28-A945-4C93-81C1-4E28EE8BCB0C}
    "nameserver"="85.255.113.108,85.255.112.197" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3C50C77A-78D6-49BE-B7DE-5AD0E9D598EE}
    "DhcpNameServer"="85.255.113.108,85.255.112.197" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7B2A6668-B27C-4154-BEB8-D27083C9E51C}
    "DhcpNameServer"="85.255.113.108,85.255.112.197" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "0" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "nlcalik" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "swen" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ogol" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eno" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "owt" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eerht" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ruof" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "evif" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ypszr" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "daolnwodi" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "onisacputes" Deleted
    ....
    »»»»» Misc files.
    C:\Documents and Settings\HP_Owner\Application Data\Install.dat Deleted
    C:\Documents and Settings\HP_Owner\Application Data\kc.tmp Deleted
    C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url Deleted
    C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url Deleted
    C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url Deleted
    C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url Deleted
    C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url Deleted
    C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url Deleted
    C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url Deleted
    C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url Deleted
    C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url Deleted
    C:\WINDOWS\RDT.INI Deleted
    C:\WINDOWS\System32\kilacln.exe Deleted
    C:\Documents and Settings\All Users\Favorites\Online Pharmacy Deleted
    C:\Documents and Settings\All Users\Favorites\Sex and Dating Deleted
    C:\Documents and Settings\All Users\Favorites\Spyware Uninstall Deleted
    C:\Documents and Settings\HP_Owner\Favorites\Spyware Uninstall Deleted
    C:\Documents and Settings\HP_Owner\Start Menu\Programs\SpyMarshal Deleted
    C:\Program Files\SpyMarshal Deleted
    C:\WINDOWS\system32\{15E7F174-A5D0-4A8D-B371-EB151C82A871}.exe Deleted
    C:\WINDOWS\system32\{3DAA693D-C3CC-48B8-A15A-39F967670570}.exe Deleted
    C:\WINDOWS\system32\{50BD6615-92DF-4EC5-BBEC-CCCB82518F09}.exe Deleted
    C:\WINDOWS\system32\{A9561737-8FE2-4153-9B09-604600564DFB}.exe Deleted
    ....
    »»»»» Checking for older varients.
    ....

    »»»»» Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
    "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
    "HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
    "KBD"="C:\\HP\\KBD\\KBD.EXE"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    "VTTimer"="VTTimer.exe"
    "AlcxMonitor"="ALCXMNTR.EXE"
    "PS2"="C:\\WINDOWS\\system32\\ps2.exe"
    "LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "AlcWzrd"="ALCWZRD.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "AGRSMMSG"="AGRSMMSG.exe"
    "F-Secure Manager"="\"C:\\Program Files\\Charter High-Speed Security Suite\\Common\\FSM32.EXE\" /splash"
    "F-Secure TNB"="\"C:\\Program Files\\Charter High-Speed Security Suite\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
    "F-Secure Startup Wizard"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\FSSW.EXE\" /reboot"
    "News Service"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\ispnews.exe\""
    "HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
    "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
    "EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB001\" /M \"Stylus CX3800\""
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "NsCplTray"="Shaitan1678.exe"
    "backd"="iehelper.exe"
    "MNTP"="syspanel.exe"
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1157749087\\ee\\AOLHostManager.exe"
    "AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
    "SpamBlocker"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.4.0\\SbOEAddOn.exe"
    "Spam Blocker for Outlook Express"="C:\\PROGRA~1\\SPAMBL~1\\Bin\\484~1.0\\SBInst.exe"
    "dbxiklvx"="C:\\WINDOWS\\system32\\xlztddwr.exe"
    "WeatherOnTray"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.4.0\\SbWeatherOnTray.exe"
    "EPSON Stylus CX3800 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P35 \"EPSON Stylus CX3800 Series (Copy 1)\" /O5 \"LPT1:\" /M \"Stylus CX3800\""
    "EPSON Stylus CX3800 Series (Copy 2)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P35 \"EPSON Stylus CX3800 Series (Copy 2)\" /O5 \"LPT2:\" /M \"Stylus CX3800\""
    "EPSON Stylus 3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P24 \"EPSON Stylus 3800 Series\" /O5 \"COM1:\" /M \"Stylus CX3800\""
    "jiyaaaaa"="C:\\WINDOWS\\system32\\jiyaaaaa.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
    "ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
    "Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
    "Acme.PCHButton"="C:\\PROGRA~1\\HELPAN~1\\HPQ\\XPXWWPP5\\plugin\\bin\\PCHButton.exe"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "syspanel"="control64.exe"
    "PrcIdle"="backd.exe"
    "Bogobot"="Kargo.exe"
    "stuffmon"="hyandex.exe"
    "wormexe"="scanSYS.exe"
    "slamm"="killall.exe"
    "jiyaaaaa"="C:\\WINDOWS\\system32\\jiyaaaaa.exe"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»

    New Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 5:44:15 PM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
    C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
    C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\SpamBlockerUtility\SBTV\SBTV.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbSrv.exe
    C:\Documents and Settings\HP_Owner\Desktop\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    R3 - URLSearchHook: (no name) - {7060354D-7B98-5515-24B6-0BA3D3C3F89E} - MSTCPDLL.dll (file missing)
    R3 - URLSearchHook: (no name) - {B4A66CC7-2304-B56E-910B-7F2EFC6D5833} - init32.dll (file missing)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {23704188-154e-4c58-9e3b-f05a6127c816} - C:\WINDOWS\system32\esenspi.dll
    O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)
    O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107D98AE75760EA83FA5EF80752B9499803B2A2303766A - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\spamblockerutility\sbtv\sbtvhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NsCplTray] Shaitan1678.exe
    O4 - HKLM\..\Run: [backd] iehelper.exe
    O4 - HKLM\..\Run: [MNTP] syspanel.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157749087\ee\AOLHostManager.exe
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
    O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [syspanel] control64.exe
    O4 - HKCU\..\Run: [PrcIdle] backd.exe
    O4 - HKCU\..\Run: [Bogobot] Kargo.exe
    O4 - HKCU\..\Run: [stuffmon] hyandex.exe
    O4 - HKCU\..\Run: [wormexe] scanSYS.exe
    O4 - HKCU\..\Run: [slamm] killall.exe
    O4 - HKCU\..\Run: [jiyaaaaa] C:\WINDOWS\system32\jiyaaaaa.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131734823425
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: esenspi - C:\WINDOWS\SYSTEM32\esenspi.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    O23 - Service: FSBWSYS (fsbwsys) - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O24 - Desktop Component 0: Security - C:\WINDOWS\desktop.html

    --
    End of file - 13252 bytes


    again thanks for the help :D!
     
  4. Baabiouz

    Baabiouz Regular member

    Joined:
    Feb 18, 2006
    Messages:
    400
    Likes Received:
    0
    Trophy Points:
    26
    Hi!

    Please download SmitfraudFix

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
    _______________________________

    Download SDFix and save it to your Desktop.
    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    * Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
    _________________________________

    Please, post Sdfix log, Smitfraudfix log and a fresh Hijackthis log.
     
  5. anari11

    anari11 Guest

    you got 6 infections:

    O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)

    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mote.dll (file missing)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWeatherOnTray.exe

    O4 - HKCU\..\Run: [wormexe] scanSYS.exe

    delete them all.

    next are programs that you dont need or are unneccesery:

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

    O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot

    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    after you deleted them all,reboot your computer,Search for and delete the file Alcxmntr.exe,Search for and delete the file ALCMTR.EXE,Delete the C:\Program Files\Hotbar\ folder,Delete the file winstart.exe which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\,Empty your recycle bin,Run Windows Update and install all critical updates,Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free,Reboot one last time.
     
  6. Baabiouz

    Baabiouz Regular member

    Joined:
    Feb 18, 2006
    Messages:
    400
    Likes Received:
    0
    Trophy Points:
    26
    Please, DON'T do anything what anari11 said.
    Anari11, please go to HijackThis school and come back here again.
    Example, you never delete this file: ALCMTR.EXE.

    Anari11, dont post your advice if you donn´t know what to do, this is fix for this user.
    Please, don't come here make fixes, if you don't can do it! Please, go to HjT school. Thanks.
     
    Last edited: Jul 13, 2007
  7. Baabiouz

    Baabiouz Regular member

    Joined:
    Feb 18, 2006
    Messages:
    400
    Likes Received:
    0
    Trophy Points:
    26
    drluv: Please, run Smitfraudfix and Sdfix.
     
  8. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,073
    Likes Received:
    80
    Trophy Points:
    128
    anari11, lightning struck!!
     

Share This Page