I have ran Ad-Aware and spybot s&d. Here is my Hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 8:13:19 PM, on 10/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\issearch.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\ICROSO~1.NET\smss.exe C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\w?nspool.exe C:\Windows\Twain_32\ScanWiz5\SDII.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe C:\Program Files\Olympus\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\jjjjjjjj\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tynxmvtt.dll (file missing) O2 - BHO: (no name) - {3CF049B6-5383-4567-978D-3DCCA8F357B3} - C:\WINDOWS\system32\mllli.dll (file missing) O2 - BHO: (no name) - {3D28D3A3-5D2E-974C-EB2D-01F85300CC8C} - C:\WINDOWS\system32\uhbigwc.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll O2 - BHO: (no name) - {C742E521-A13C-11D9-B343-00B0C0E16668} - C:\WINDOWS\SYSTEM32\OOAH.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [fxbomx.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fxbomx.dll,hfnitid O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [AnyDVD] C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Otsu] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\smss.exe" -vt yazb O4 - HKCU\..\Run: [Bmnihuqy] C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\w?nspool.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O4 - Global Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe O4 - Global Startup: DriveSelect.lnk = C:\Program Files\WordPerfect Office 11\Programs\GLCOM97.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O20 - Winlogon Notify: mllli - C:\WINDOWS\system32\mllli.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winjnr32 - winjnr32.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Kind of overrun with logs since there's not much help around here, but you're very infected so I'll try to help. Download ComboFix.exe to the desktop from here Open ComboFix.exe and follow the prompts. When finished, it will produce a log for you. Post that log in your next reply. Note: Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
COMBOFIX LOG: jjjjjjjj - 06-10-25 18:00:22.75 Service Pack 2 ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ismini.exe C:\WINDOWS\system32\issearch.exe C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\Program Files\Safety Bar C:\WINDOWS\system32\components C:\Program Files\Common Files\{07D10310-035F-1033-1107-010719000001} ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET C:\QooBox\Purity\Program Files\Common Files\FNTS~1 C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET\?icrosoft.NET C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET\smss.exe C:\QooBox\Purity\Documents and Settings\jjjjjjjj\Application Data\ECURIT~1 C:\QooBox\Purity\Documents and Settings\jjjjjjjj\Application Data\ECURIT~1\w?nspool.exe ((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 )))))))))))))))))))))))))))))))))) 2006-10-24 18:03 73,216 ---h----- C:\WINDOWS\svchost.exe 2006-10-20 12:42 20,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AnyDVD.sys 2006-10-19 23:03 778,656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys 2006-10-19 23:03 4,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys 2006-10-19 23:03 4,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys 2006-10-19 23:03 27,904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys 2006-10-19 23:03 23,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfrs.sys 2006-10-19 21:31 67,604 --a------ C:\WINDOWS\SYSTEM32\qbigfgis.exe 2006-10-19 21:31 131,072 --a------ C:\WINDOWS\SYSTEM32\jvzdjf.dll 2006-10-18 20:52 2 --a------ C:\WINDOWS\SYSTEM32\wnscpsv.exe 2006-10-18 20:51 94,208 --a------ C:\WINDOWS\SYSTEM32\fxbomx.dll 2006-10-18 20:51 72,704 --a------ C:\WINDOWS\SYSTEM32\uhbigwc.dll 2006-10-06 23:13 515,102 ---hs---- C:\WINDOWS\SYSTEM32\illlm.bak2 2006-10-05 22:08 524,224 ---hs---- C:\WINDOWS\SYSTEM32\illlm.bak1 2006-10-05 22:08 143,380 --a------ C:\WINDOWS\SYSTEM32\jcmnnhha.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-24 23:20 85 ---hs---- C:\Documents and Settings\jjjjjjjj\Application Data\.zreglib 2006-10-24 22:55 433 --a------ C:\AUTOEXEC.BAT 2006-10-24 20:25 -------- d-------- C:\Program Files\Mozilla Firefox 2006-10-24 20:25 -------- d-------- C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla 2006-10-21 15:28 -------- d-------- C:\Program Files\Zone Labs 2006-10-21 15:08 -------- d-------- C:\Program Files\Ultimate Cleaner 2006-10-19 23:20 -------- d-------- C:\Program Files\a-squared Free 2006-10-19 23:03 -------- d-------- C:\Documents and Settings\jjjjjjjj\Application Data\AVG7 2006-10-19 23:02 -------- d-------- C:\Program Files\Grisoft 2006-10-06 22:22 73216 ---h----- C:\Program Files\Common Files\svchost.exe 2006-09-14 19:31 -------- d-------- C:\Program Files\DVDFab Decrypter 3 2006-09-13 00:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll 2006-08-25 10:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll 2006-08-21 07:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll 2006-08-21 04:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltMc.exe 2006-08-16 06:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll 2006-07-30 23:49 278528 --a------ C:\WINDOWS\SYSTEM32\migicons.exe 2006-07-30 23:37 62 --ahs---- C:\Documents and Settings\jjjjjjjj\Application Data\desktop.ini 2006-07-27 08:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll 2006-07-21 15:59 495 --a------ C:\Documents and Settings\jjjjjjjj\Application Data\dw.log (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "AnyDVD"="C:\\PROGRA~1\\SlySoft\\AnyDVD\\AnyDVD.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Otsu"="\"C:\\PROGRA~1\\COMMON~1\\ICROSO~1.NET\\smss.exe\" -vt yazb" "Bmnihuqy"="C:\\Documents and Settings\\jjjjjjjj\\Application Data\\?ecurity\\w?nspool.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "fxbomx.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\fxbomx.dll,hfnitid" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "RAM Idle Professional"="C:\\Program Files\\RAM Idle LE\\RAM_XP.exe" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=hex:00,00,00,00 "EditLevel"=dword:00000000 "NoRun"=dword:00000000 "NoClose"=dword:00000000 "NoSaveSettings"=dword:00000000 "NoFileMenu"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "svchost.exe"="C:\\WINDOWS\\svchost.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000000 "CDRAutoRun"=hex:00,00,00,00 "EditLevel"=dword:00000000 "NoRun"=dword:00000000 "NoClose"=dword:00000000 "NoSaveSettings"=dword:00000000 "NoFileMenu"=dword:00000000 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000000 "CDRAutoRun"=hex:00,00,00,00 "EditLevel"=dword:00000000 "NoRun"=dword:00000000 "NoClose"=dword:00000000 "NoSaveSettings"=dword:00000000 "NoFileMenu"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "SYSWB6"="SYSWB6" "OEMCleanup"="C:\\WINDOWS\\OPTIONS\\OEMRESET.EXE" "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" "Soundmx"="\\soundmx.exe" "Bart Station"="C:\\Program Files\\ISP50\\BIN\\PPCOLink -STATION" "mdac_runonce"="C:\\WINDOWS\\SYSTEM32\\RUNONCE.EXE" "StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE" "sp"="rundll32 C:\\WINDOWS\\TEMP\\SE.DLL,DllInstall" "LoadQM"="loadqm.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllli HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjnr32 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Tune-up Application Start.job C:\WINDOWS\tasks\Scan For Viruses.job Completion time: 06-10-25 18:01:54.34 C:\ComboFix.txt ... 06-10-25 18:01
Logfile of HijackThis v1.99.1 Scan saved at 7:06:02 AM, on 10/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\svchost.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\RAM Idle LE\RAM_XP.exe C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\ICROSO~1.NET\smss.exe C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\w?nspool.exe C:\Windows\Twain_32\ScanWiz5\SDII.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe C:\Program Files\Olympus\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\jjjjjjjj\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tynxmvtt.dll (file missing) O2 - BHO: (no name) - {3CF049B6-5383-4567-978D-3DCCA8F357B3} - C:\WINDOWS\system32\mllli.dll (file missing) O2 - BHO: (no name) - {3D28D3A3-5D2E-974C-EB2D-01F85300CC8C} - C:\WINDOWS\system32\uhbigwc.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {C742E521-A13C-11D9-B343-00B0C0E16668} - C:\WINDOWS\SYSTEM32\OOAH.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [fxbomx.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fxbomx.dll,hfnitid O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [AnyDVD] C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Otsu] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\smss.exe" -vt yazb O4 - HKCU\..\Run: [Bmnihuqy] C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\w?nspool.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O4 - Global Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe O4 - Global Startup: DriveSelect.lnk = C:\Program Files\WordPerfect Office 11\Programs\GLCOM97.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O20 - Winlogon Notify: mllli - C:\WINDOWS\system32\mllli.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winjnr32 - winjnr32.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Download SmitfraudFix.zip to the desktop from here. Extract the files to the desktop, but do not run yet, we will later. Download KillBox from here and save to the desktop. Do not run yet, we will later in safe mode. Download ATF Cleaner from here and save to the desktop. Do not run yet, we will will later. Run a scan only with HijackThis, check these: [bold]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - URLSearchHook: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tynxmvtt.dll (file missing) O2 - BHO: (no name) - {3CF049B6-5383-4567-978D-3DCCA8F357B3} - C:\WINDOWS\system32\mllli.dll (file missing) O2 - BHO: (no name) - {3D28D3A3-5D2E-974C-EB2D-01F85300CC8C} - C:\WINDOWS\system32\uhbigwc.dll O2 - BHO: (no name) - {7FD09661-2CA6-1706-D7BD-56A7025BE691} - C:\WINDOWS\system32\jvzdjf.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {C742E521-A13C-11D9-B343-00B0C0E16668} - C:\WINDOWS\SYSTEM32\OOAH.DLL (file missing) O4 - HKLM\..\Run: [fxbomx.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fxbomx.dll,hfnitid O4 - HKCU\..\Run: [Otsu] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\smss.exe" -vt yazb O4 - HKCU\..\Run: [Bmnihuqy] C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\w?nspool.exe O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O20 - Winlogon Notify: mllli - C:\WINDOWS\system32\mllli.dll (file missing) O20 - Winlogon Notify: winjnr32 - winjnr32.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)[/bold] Close all windows except HijackThis then click "Fix checked". Close HijackThis. [bold]Note[/bold]: print these instructions or copy to Notepad and save it, you will be in safe mode and can't access the internet. Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter). Open Killbox.exe. Check "Standard File Kill". In the "Full Path of File to Delete" box, copy and paste each of the following lines below [bold]one at a time[/bold] then click the red button with a white X after you enter each file. You will be prompted to confirm, click Yes. Note: KillBox may prompt "File does not seem to exist". If so, continue with next file, but do not miss any. [bold]C:\WINDOWS\system32\jvzdjf.dll C:\WINDOWS\system32\uhbigwc.dll C:\WINDOWS\system32\fxbomx.dll C:\Program Files\Common Files\Microsoft.NET\smss.exe[/bold] Exit KillBox. Locate and delete this file(file name may or may not contain "?"): C:\Documents and Settings\jjjjjjjj\Application Data\?ecurity\[bold]w?nspool.exe[/bold] Empty the Recycle Bin. Close all open windows. Open ATF Cleaner. Check "Select All". Click "Empty Selected". Restart in normal mode. Open the SmitfraudFix folder. Double-click smitfraudfix.cmd Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt. Post back with the contents of rapport.txt and a new HijackThis log.
SmitFraudFix v2.114 Scan done at 22:40:07.27, Thu 10/26/2006 Run from C:\Documents and Settings\jjjjjjjj\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\svchost.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\migicons.exe FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jjjjjjjj »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jjjjjjjj\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\jjjjjjjj\FAVORI~1 C:\DOCUME~1\jjjjjjjj\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 10:42:31 PM, on 10/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\svchost.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\RAM Idle LE\RAM_XP.exe C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Messenger\msmsgs.exe C:\Windows\Twain_32\ScanWiz5\SDII.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe C:\Program Files\Olympus\CAMEDIA Master 4.1\CM_camera.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\jjjjjjjj\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [AnyDVD] C:\PROGRA~1\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O4 - Global Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe O4 - Global Startup: DriveSelect.lnk = C:\Program Files\WordPerfect Office 11\Programs\GLCOM97.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Good! Not much more. [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet. * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Open the SmitFruadFix folder. * Double-click smitfraudfix.cmd * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt. Restart in normal mode. Go here and run Kaspersky Online Scanner. Accept the terms. After downloading, click "My Computer". After scanning, click "Save report as". Save as a text file and post it here along with the contents of rapport.txt.
KASPERSKY ONLINE SCANNER REPORT Friday, October 27, 2006 10:30:51 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 28/10/2006 Kaspersky Anti-Virus database records: 222240 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 36099 Number of viruses found: 1 Number of infected objects: 1 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:39:59 Infected Object Name / Virus Name / Last Action C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\TEMP\ZLT038f2.TMP Object is locked skipped C:\WINDOWS\TEMP\ZLT0056b.TMP Object is locked skipped C:\WINDOWS\SchedLog.Txt Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\hh.htt Infected: Trojan.JS.Zapchast.a skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\Program Files\Common Files\svchost.exe Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\jjjjjjjj\NTUSER.DAT Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Temp\Perflib_Perfdata_658.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\History\History.IE5\MSHist012006102720061028\index.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\jjjjjjjj\Local Settings\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\jjjjjjjj\Cookies\index.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\parent.lock Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\cert8.db Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\key3.db Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\history.dat Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\search.sqlite Object is locked skipped C:\Documents and Settings\jjjjjjjj\Application Data\Mozilla\Firefox\Profiles\azpta8ff.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\jjjjjjjj\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET\smss.exe Object is locked skipped Scan process completed. SmitFraudFix v2.114 Scan done at 18:53:59.94, Fri 10/27/2006 Run from C:\Documents and Settings\jjjjjjjj\Desktop\Virus Protection\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\svchost.exe Deleted C:\WINDOWS\system32\migicons.exe Deleted C:\WINDOWS\system32\ot.ico Deleted C:\DOCUME~1\jjjjjjjj\FAVORI~1\Antivirus Test Online.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
Turn off System Restore. Right click My Computer > Properties > System Restore tab > check "Turn off System Restore". Click Apply then OK. Restart in safe mode and delete these with KillBox. [bold]C:\Program Files\Common Files\svchost.exe[/bold] <--svchost.exe in System32 folder is the only legit svchost. [bold]C:\QooBox C:\WINDOWS\hh.htt[/bold] Restart in normal mode and turn System Restore back on. Should be clean now. How are things? Any problems or questions?
