Abebot and trojandownloader.xs problem

[-r00sta-]

Hello,

I like many other people managed to infect my system with some nasty spyware detailed below are the ones causing problems:

1)

" Security System Protection Control Panel " TrojanDownloader.XS.

It is a White and Blue window that says 'Security system Waring"

2)
A red box mentioning something like:

Alert Details
File: C:\WINDOWS\wml.exe

Threat:Abebot

3)

System Integrity Scan Wizard
Warning: Your computer may have critical errors in Windows registry and file system!

and 4)

Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.

If some could please help me fix this problem i would greatly appreciate it.

I am running on Windows XP

thanks,
Scott

 

[kritius]

The first thing that I need you to do for me is to download and install HijackThis for me,

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete attach the log into your reply.

Do not attempt to fix any item yet.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

If you have any problems or questions then please post back.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally attach the Report.txt back on the forum

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach the contents of C:\vundofix.txt
  

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k

• Save the file to your desktop
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and attach the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please attach that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Run a fresh HijackThis scan after completing these steps.

 

[-r00sta-]

I am not sure what is going on, but when i try to install these programmes, i get a message saying "This application has failed to start beacause MSVBVM60.DLL was not found." i think this file may have been deleted in another virus scan or sumthing

 

[Blind Dragon]

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Attach these logs back here along with a new Hijackthis log after following the above

 

[-r00sta-]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:50 p.m., on 3/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Spyware Terminator\sp_rsser.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\All Users\Application Data\balqhqra\hibchkpm.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
E:\Program Files\Messenger\MSMSGS.EXE
E:\WINDOWS\system32\fkbyrmru.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - E:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: GNX Bingo - {D5F536B7-2822-4736-87D3-414DF1BF1E8C} - E:\WINDOWS\svpekgonrlo.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PC-Antispyware] "E:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [iqscnczi] E:\WINDOWS\system32\fkbyrmru.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC-Cleaner.install] "E:\DOCUME~1\PC\LOCALS~1\Temp\281ee3e0.exe" continue
O4 - HKLM\..\Policies\Explorer\Run: [pAQhHpAQhH] E:\Documents and Settings\All Users\Application Data\balqhqra\hibchkpm.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "E:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "E:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

[-r00sta-]

rest of log file Hijackthis

E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O21 - SSODL: sxfnewqb - {01ACF96D-CDF9-4CB0-BF06-C80FBA7A7BDE} - E:\WINDOWS\sxfnewqb.dll
O21 - SSODL: RunOnceService - {7d877e23-de61-4e2c-a431-e9acf158fc91} - E:\WINDOWS\Installer\{7d877e23-de61-4e2c-a431-e9acf158fc91}\RunOnceService.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10309 bytes

 

[-r00sta-]

SDFix: Version 1.165

Run by PC on Thu 03/04/2008 at 06:35 p.m.

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

E:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
E:\WINDOWS\svpekgonrlo.dll - Deleted
E:\WINDOWS\dwltqnmx.exe - Deleted
E:\WINDOWS\iTunesMusic.exe - Deleted
E:\WINDOWS\sxfnewqb.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 18:38:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"F:\\Program Files\\Ares\\Ares.exe"="F:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"="E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger 8.1"
"E:\\Program Files\\MSN Messenger\\livecall.exe"="E:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Program Files\\BitComet\\BitComet.exe"="F:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"E:\\mIRC\\mirc.exe"="E:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"E:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"="E:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe:*:Enabled:Ad-Aware 2007"
"E:\\Program Files\\DAP\\DAP.exe"="E:\\Program Files\\DAP\\DAP.exe:*:Enabledownload Accelerator Plus (DAP)"
"F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\Program Files\\FrostWire\\FrostWire.exe"="E:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"F:\\GAmes\\TrackMania Nations ESWC\\TmNationsESWC.exe"="F:\\GAmes\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike source\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="E:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*isabled:VLC media player"
"F:\\GAmes\\Steam\\steamapps\\mis_nik\\source sdk base\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\source sdk base\\hl2.exe:*:Enabled:hl2"
"F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike\\hl.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"F:\\GAmes\\ET.exe"="F:\\GAmes\\ET.exe:*:Enabled:ET"
"F:\\GAmes\\EA GAMES\\Battlefield 2\\BF2.exe"="F:\\GAmes\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:BF2"
"F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942.exe"="F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
"F:\\GAmes\\Alien Arena\\Alien Arena 2007\\crx.exe"="F:\\GAmes\\Alien Arena\\Alien Arena 2007\\crx.exe:*:Enabled:crx"
"F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942_w32ded.exe"="F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942_w32ded.exe:*:Enabled:BF1942_w32ded"
"E:\\Program Files\\America's Army\\System\\ArmyOps.exe"="E:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"F:\\GAmes\\Wolfenstein enemy territory\\ET.exe"="F:\\GAmes\\Wolfenstein enemy territory\\ET.exe:*:Enabled:ET"
"E:\\Program Files\\uTorrent\\uTorrent.exe"="E:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"F:\\GAmes\\Steam\\steamapps\\mis_nik\\half-life 2 deathmatch\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\FlashGet\\flashget.exe"="E:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"E:\\Program Files\\Azureus\\Azureus.exe"="E:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"F:\\GAmes\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"="F:\\GAmes\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe:*:Enabled:bf2_w32ded"
"E:\\Program Files\\GameSpy Arcade\\Aphex.exe"="E:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"F:\\GAmes\\Americas Army\\System\\ArmyOps.exe"="F:\\GAmes\\Americas Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"="E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger 8.1"
"E:\\Program Files\\MSN Messenger\\livecall.exe"="E:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files :


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 1 Feb 2007 61,440 A..H. --- E:\PROGRA~1\SUPERA~1\SASCTXMN.DLL
Mon 28 Jan 2008 1,404,240 A.SHR --- E:\PROGRA~1\SPYBOT~1\SDUPDATE.EXE
Mon 28 Jan 2008 5,146,448 A.SHR --- E:\PROGRA~1\SPYBOT~1\SPYBOTSD.EXE
Mon 28 Jan 2008 2,097,488 A.SHR --- E:\PROGRA~1\SPYBOT~1\TEATIMER.EXE
Mon 31 Mar 2008 1,024 A..H. --- E:\SYSTEM~1\_RESTO~1\RP212\A0028556.SYS
Mon 31 Mar 2008 1,024 A..H. --- E:\SYSTEM~1\_RESTO~1\RP213\A0028894.SYS
Mon 28 Jan 2008 0 A..H. --- E:\WINDOWS\SOFTWA~1\DOWNLOAD\F7DB87~1\BIT1.TMP
Thu 15 Mar 2007 0 A.SH. --- E:\DOCUME~1\ALLUSE~1\DRM\CACHE\INDIV01.TMP

Finished!

 

[-r00sta-]

[04/03/2008, 21:21:57] - VirtumundoBeGone v1.5 ( "E:\Documents and Settings\PC\Desktop\VirtumundoBeGone.exe" )
[04/03/2008, 21:22:03] - Detected System Information:
[04/03/2008, 21:22:03] - Windows Version: 5.1.2600, Service Pack 2
[04/03/2008, 21:22:03] - Current Username: PC (Admin)
[04/03/2008, 21:22:03] - Windows is in NORMAL mode.
[04/03/2008, 21:22:03] - Searching for Browser Helper Objects:
[04/03/2008, 21:22:03] - BHO 1: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
[04/03/2008, 21:22:03] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/03/2008, 21:22:03] - BHO 3: {10F0C2A9-8E38-43e3-204D-45524C494E20} (PC-Antispyware Site Blocker Button)
[04/03/2008, 21:22:03] - BHO 4: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} ()
[04/03/2008, 21:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 21:22:03] - Checking for HKLM\...\Winlogon\Notify\ctbr
[04/03/2008, 21:22:03] - Key not found: HKLM\...\Winlogon\Notify\ctbr, continuing.
[04/03/2008, 21:22:03] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (IE to GetRight Helper)
[04/03/2008, 21:22:03] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 21:22:03] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/03/2008, 21:22:03] - BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/03/2008, 21:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 21:22:03] - No filename found. Continuing.
[04/03/2008, 21:22:03] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[04/03/2008, 21:22:03] - BHO 10: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/03/2008, 21:22:03] - Finished Searching Browser Helper Objects
[04/03/2008, 21:22:03] - Finishing up...
[04/03/2008, 21:22:03] - Nothing found! Exiting...

[04/03/2008, 21:23:00] - VirtumundoBeGone v1.5 ( "E:\Documents and Settings\PC\Desktop\VirtumundoBeGone.exe" )
[04/03/2008, 21:23:01] - Detected System Information:
[04/03/2008, 21:23:01] - Windows Version: 5.1.2600, Service Pack 2
[04/03/2008, 21:23:01] - Current Username: PC (Admin)
[04/03/2008, 21:23:01] - Windows is in NORMAL mode.
[04/03/2008, 21:23:01] - Searching for Browser Helper Objects:
[04/03/2008, 21:23:01] - BHO 1: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
[04/03/2008, 21:23:01] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/03/2008, 21:23:01] - BHO 3: {10F0C2A9-8E38-43e3-204D-45524C494E20} (PC-Antispyware Site Blocker Button)
[04/03/2008, 21:23:01] - BHO 4: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} ()
[04/03/2008, 21:23:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 21:23:01] - Checking for HKLM\...\Winlogon\Notify\ctbr
[04/03/2008, 21:23:01] - Key not found: HKLM\...\Winlogon\Notify\ctbr, continuing.
[04/03/2008, 21:23:01] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (IE to GetRight Helper)
[04/03/2008, 21:23:01] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 21:23:01] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/03/2008, 21:23:01] - BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/03/2008, 21:23:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 21:23:02] - No filename found. Continuing.
[04/03/2008, 21:23:02] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[04/03/2008, 21:23:02] - BHO 10: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/03/2008, 21:23:02] - Finished Searching Browser Helper Objects
[04/03/2008, 21:23:02] - Finishing up...
[04/03/2008, 21:23:02] - Nothing found! Exiting...

 

[-r00sta-]

SmitFraudFix v2.309

Scan done at 21:26:43.28, Thu 03/04/2008
Run from E:\Documents and Settings\PC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Spyware Terminator\sp_rsser.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\MSMSGS.EXE
E:\WINDOWS\system32\fkbyrmru.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» E:\


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\PC


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\PC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\PC\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="E:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR5005G Wireless Network Adapter #3 - Packet Scheduler Miniport
DNS Server Search Order: 10.1.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[-r00sta-]

what r my next steps?

 

[Blind Dragon]

You still haven't followed my last steps yet. And can you please post your logs as attachments.

1)MBAM log
2)Combofix log

*to attach click the icon that looks like a paperclip. or if using quick replies select Go Advanced, then click the paperclip icon

 

[-r00sta-]

k will do that now

 

[-r00sta-]

K these r the rest of the logs u asked for

 

[Blind Dragon]

With MBAM
Be sure that everything is checked, and click Remove Selected.


CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Driver::
Legacy_SZKG5

File::
E:\Program Files\PC-Antispyware\PC-Antispyware.exe
E:\WINDOWS\system32\fkbyrmru.exe
E:\WINDOWS\system32\ufsbwxwv.exe
E:\WINDOWS\system32\lelyhgls.exe
E:\Program Files\PC-Antispyware\IeExtension.dll
E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

Folder::
E:\Documents and Settings\All Users\Application Data\balqhqra
E:\Program Files\PC-Cleaner(2)
E:\Program Files\PC-Cleaner
E:\Program Files\PC-Antispyware
E:\Program Files\AskSBar

Registry:
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"=-
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"=-
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iqscnczi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC-Antispyware"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[-r00sta-]

Ok here we go

 

[Blind Dragon]

Ok, good work. Still a little ways to go.

Delete a Service

• Click Start | Run and type regedit in the Open: line. Click OK.
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
• Scroll down the left pane, locate Spyware Terminator Realtime Shield Service (sp_rssrv), right click it and select Delete.
• Do the same for PC Tools Security Service (sdCoreService)
• Reboot the system (into safe mode instructions below)

You might want to copy and paste these instructions into a notepad file and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

At reboot don't let it boot normally:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - E:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D5F536B7-2822-4736-87D3-414DF1BF1E8C} - (no file)
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O4 - HKLM\..\Run: [PC-Antispyware] "E:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [iqscnczi] E:\WINDOWS\system32\fkbyrmru.exe
O4 - HKCU\..\Run: [PC-Cleaner.install] "E:\DOCUME~1\PC\LOCALS~1\Temp\281ee3e0.exe" continue
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files:

Files:
C:\WINDOWS\system32\fkbyrmru.exe <-This file only

Folders:
C:\Program Files\Spyware Terminator <-This folder only
C:\Program Files\PC-Antispyware <-This folder only
C:\Program Files\Crawler <-This folder only
C:\Program Files\AskSBar <-This folder only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log

 

[-r00sta-]

ok. here it is. some of the files u asked me to delete such as
C:\WINDOWS\system32\fkbyrmru.exe
C:\Program Files\Crawler
C:\Program Files\AskSBar
were already deleted before u told me to

 

[Blind Dragon]

Your logs are looking good. Were you able to do this?


Delete a Service

• Click Start | Run and type regedit in the Open: line. Click OK.
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
• Scroll down the left pane, locate PC Tools Auxiliary Service (sdAuxService), right click it and select Delete.
• Reboot the system (into safe mode instructions below)

Please check to make sure.

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[-r00sta-]

Ok. done that. here it is

 

[Blind Dragon]

Looks good,

The only thing picked up by Kaspersky was a false positive and quarantine files

First of all delete everything in Symantec Quarantine
-----------------------------------------------------------------------------------------------------

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[-r00sta-]

ok awesome. just did those steps. is there anything else?

 

[jack1962]

I really need help with Trojan virus

I have the Trojandownload virus alond with the Abebot, need help please.

 

[jack1962]

Hello

I too need help to get rid of that nasty old trojandownload.xs and abobot virus, help please.

 

[kritius]

Start your own thread and dont try to hijack someone elses.

 

[Blind Dragon]

R00sta,

Should you have any more problems please let me know through this thread. Otherwise your logs look clean

Regards,

Blind dragon