What is grcf.exe?

quinnd6

Everytime I start up my sisters computer a message pops up saying grcf.exe has a problem and needs to close and then the computer runs really slowly and wont go onto the internet for me and sometimes crashes.

Other times Ill manage to get onto the internet but it wont work for me after a few minutes.

What could I do to fix this problem?

ActorSeeksJob

Seems to be a pretty bad trojan. Do this

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here

quinnd6

Okay thanks Im not there at the moment but I will do that later

quinnd6

Logfile of HijackThis v1.99.1
Scan saved at 21:12:13, on 28/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\NSecurity.exe
C:\WINDOWS\System32\svcchosst.exe
C:\WINDOWS\system32\srvcc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\client\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\client\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKCU\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\ou3viewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ou3viewer.dll
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\grcf.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

ActorSeeksJob

Hey quinnd6, your PC is very infected, so make sure you do all these steps, and ask me if you have any questions/problems. Do you know what start up entries you have disabled? If so can you list them for me.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of ou3viewer.dll.
5. Select every instance of ou3viewer.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\client\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKCU\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files in bold (if present):

C:\WINDOWS\System32\NSecurity.exe
C:\WINDOWS\System32\svcchosst.exe
C:\WINDOWS\system32\srvcc.exe
C:\WINDOWS\web\related.htm
c:\windows\system32\ou3viewer.dll

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

When you have done ALL this, please post back the following for me : the SDFix report, the F-Secure Online Scanner report, and a new HijackThis log

tech

Hi this is my Logfile, am I in trouble ?

Thanks

===============


Logfile of HijackThis v1.99.1
Scan saved at 08:48:10, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\SYSTEM32\lexmvservice.exe
C:\WINDOWS\SYSTEM32\LexWebService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\stephen.patterson\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = agentsmith:8888
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINDOWS\SYSTEM32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINDOWS\SYSTEM32\LexWebService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

ActorSeeksJob

Your log looks fine tech. However there are a few things you should do to make sure it doesn't get infected. You should install an anti-spyware, firewall, and real-time protection.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

* SpywareGuard offers realtime protection from spyware installation attempts.

* I recommend the following anti-spyware programs to protect yourself against spyware, make sure you only use one real-time anti-spyware protection program though :
AVG anti-spyware(the best by far)
Spybot - Search and Destroy
Ad-Aware SE Personal

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Some good free firewalls are ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

quinnd6

Sorry Im late in replying.

Heres the latest report.txt from hijack this log

"

Logfile of HijackThis v1.99.1
Scan saved at 19:35:22, on 13/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\srvcc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\client\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKCU\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
"
Heres the report.txt from sdfix
"
SDFix: Version 1.85

Run by client - 29/05/2007 - 19:12:00.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
NETDown

ImagePath:
C:\WINDOWS\grcf.exe

NETDown - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\svcchosst.exe - Deleted
C:\WINDOWS\system32\TFTP1888 - Deleted
C:\WINDOWS\system32\TFTP2700 - Deleted
C:\WINDOWS\system32\TFTP304 - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:

---

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\helpersrvcc.exe
C:\WINDOWS\system32\srvcc.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\044a6f562ca5290509d799bf41a52aed\BIT20D.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0f034613258cda0f8c8da15d1b762ae0\BIT221.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0f1d9525936bd5663571785a751b32e3\BIT223.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\12872a4fd5ad52aafc9035961c16e563\BIT205.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\1677bddc08fb72da2e81378c43c92308\BIT204.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\16ee1796ad2388ebaa80aa89b6387a2e\BIT210.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\20cd36d7283b4940f5d55fba9d008bc7\BIT1F3.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2337f75b6cfb9c1756b2d48701476ee3\BIT1FB.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2599f89a22d2a65299ffec348453588c\BIT216.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2991f70fec08210a301ba3d28684d595\BIT225.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f8972f47c1980a533dc0f726730f789\BIT1EC.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35cce4c0c04512d0bce9f3bf12fcbdee\BIT203.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\38e8e4ca0c20de71d0dedcd61be81e4b\BIT202.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3a84255fa53bf624e6efd81d8d5d3ebf\BIT20F.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\437c027c64a0cdea5e7269513ccd1066\BIT220.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4507315e795e4b1a19374ad387e506fb\BIT208.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\47058224a0f347a7e0d1affa89ba4d0f\BIT1FE.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\573bf64c61e63a82e837c932e348b15c\BIT1EE.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6aedffbea12f0c2d06a78c9a6977f22f\BIT1FA.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6b06da40652f8ab972561e743ae05a96\BIT21A.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1E9.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\70bee86dd2b52f0c3f60c71113182f25\BIT213.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\713a3deefea049a15e8220ba7464fe48\download\BIT208.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\74eac9a4b069a45e3e4e8d162f3dd349\BIT1EB.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\74fcdfbc02664dce84136c891758e123\BIT1FC.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a0b2e29d3aa48d4be478bc6a367b3b1\BIT201.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7fb9a1dcd00c55662f93dcfc1b3ae0e6\BIT1F7.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\837ee431df87226c3788bde39d0fd5c6\BIT1FD.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\857c7c13c9986b858e6c718d7a486849\BIT1EA.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT1F0.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9068529eb9ffcb0374073e28df2ec7a6\BIT200.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9c6a857a536c230a49190993fc1c2a15\BIT20C.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a10059c9324422cfcb0f7ef897dbfc6d\BIT1F2.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a714d1d10561520687f3d4e868f75ce9\BIT206.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b644f487577711809366dbf3bb5f84d7\BIT20A.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b89badbc70122a40a6febf9aa0c6d0dd\BIT20B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bd0c48d4592ffe3631c19bd04a50ac18\BIT218.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bd2c412f5748f6bd7110bae5c7f908e8\BIT211.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c38f81748688325a9df6ee13850c72ae\BIT21C.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c9ca23e0db0bf40b7c223d3803986f23\BIT21B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cc7c81035e25850c05e1edb4d9075592\BIT1F4.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ccf16a349964b0c1db2aca1fe8adaff2\BIT1FF.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cd2a2f1d010b27c0795c5f7c544cb756\BIT20E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cf6711df6004b507aee20e828abd0934\BIT1F9.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cf90e529267ca119c39465c951264b3a\BIT1ED.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dcbf30daf2b079c49f58c0143ed5282d\BIT1EF.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dd5f937d0efd28640769c02449cb1c5f\BIT219.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dd7f6667f53f0d6f98a097700d69b1a9\BIT1F6.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dd96f277fa4828ab08409c1eebe31c41\BIT1F5.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e0dc0b83689ce7b61aec9a92ab403ff5\BIT1F8.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e248e6e6cf7cf235ca9adad589c1947a\BIT207.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e2b4d3fe99fff743f9d3d64ed7c7e582\BIT222.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e8aaf3d0f5a2a9436cb55a74f4d86214\BIT217.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ead7837e90f144c8b951601ec9bcfe5a\BIT21E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ec4bd1527b43d202e7c5588f67b971f6\BIT224.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\edea2c5e3491fef2d97b28f30ee08c81\BIT212.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa998053d8f05286f86623337cfbdf24\BIT215.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fb84d0b919892d8d52254bbe7ba3a7e5\BIT1F1.tmp

Finished


"

The phone line disconnected before the f secure online scanner was finished scanning I think so I gave up on that cos Im using dialup and it takes too long.

ActorSeeksJob

Hey quinnd6, your PC is still pretty badly infected with some malware that hasn't even been identified. If possible try post back fast to prevent the malware coming back.

Go to this site:
http://www.virustotal.com/en/indexx.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\srvcc.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Repeat these instructions for this file also
C:\WINDOWS\system32\helpersrvcc.exe

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


So in your next reply I need to see the following : the scan results for the 2 files, and the HijackThis Uninstall List.

nanthini

hello,
i got affected by 0u3viewer.dll and i followed the procedure mentioned above. Then i installed Antivir antivirus and scanned the "D:/" where the trojan was intially present..
but when the scan starts the system reboots.. this happens everytime i try scanning "D:".
i have pasted the hijack this log here. please help me. thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 8:34:00 AM, on 6/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
\WINDOWS\System32\smss.exe
\WINDOWS\system32\winlogon.exe
\WINDOWS\system32\services.exe
\WINDOWS\system32\savedump.exe
\WINDOWS\system32\lsass.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\System32\svchost.exe
\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
\WINDOWS\Explorer.EXE
\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
\WINDOWS\system32\spoolsv.exe
\Program Files\AntiVir PersonalEdition Classic\avguard.exe
\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
\Program Files\AntiVir PersonalEdition Classic\sched.exe
\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
\WINDOWS\system32\slserv.exe
\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
\WINDOWS\slrundll.exe
\WINDOWS\System32\wuauclt.exe
\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - \Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - \Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - \Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - \Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - \Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - \Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - \WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUYYYYYYYYIN
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{722B9FA6-4B2A-4005-A64B-12421C9D9825}: NameServer = 218.248.240.23 218.248.240.135
O20 - Winlogon Notify: igfxcui - \WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - \Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - \Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - \Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - \Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - \Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - \Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - \WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - \Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - \Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - \Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

quinnd6

I couldn't find either

C:\WINDOWS\system32\srvcc.exe

or

C:\WINDOWS\system32\helpersrvcc.exe

at those locations.
So this files dont seem to be on my pc.

Are there any good free malware scanners available cos the pc still is hanging up and not working properly when using internet explorer?

ActorSeeksJob

It's very important that we analyze those files, so do the following or else it will be hard to fix up your PC. Please do all my steps

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


This should work now hopefully. Go to this site:
http://www.virustotal.com/en/indexx.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\srvcc.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Repeat these instructions for this file also
C:\WINDOWS\system32\helpersrvcc.exe


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please download and install SUPERAntiSpyware Home Edition (free)

• Once installed, update the program definitions when prompted.
• Click the "Preferences" button and then the "Scanning Control" tab.
• Under "Scanner Control" make sure the following are checked/selected:
• 1>> Close browsers before scanning.
• 2>> Scan for tracking cookies.
• 3>> Terminate memory threats before quarantining.
• 4>> Ignore System Restore/Volume Information on ME and XP.
• Deselect all other scanning options.
• Close SUPERAntiSpyware for use later.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


Open SUPERAntiSpyware and click the "Scan your computer" button.

• On the left, select "C:\Fixed Drive".
• On the right, under "Complete Scan", choose "Perform Complete Scan".
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click "OK".
• Make sure everything in the white box has a check next to it, then click "Next".
• After quarantining anything found, you may be prompted to reboot, click "Yes".
• Paste the scan log in your next reply (Preferences > Statistics/Logs tab > double-click SUPERAntiSpyware Scan Log)

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


So in your next reply I need to see the following : the results of those 2 files you scanned, the Dr.Web CureIt report, the SUPERAntiSpyware log, the HijackThis Uninstall List, and a new HijackThis log.

Please do ALL the steps or we wont be able to fix your PC up properly. Tell me if you have any problems also.

CiaranC

I know its a faux pas to say this, but would you not just be tempted to install Ubuntu and leave all this crap behind, instead of spending hours with crappy anti malware tools?

ActorSeeksJob

This is to you nanthini. You should be very careful following the instructions for somebody else's HijackThis log. This is generally a bad idea. In case you didn't follow the instructions properly can you please delete this file in bold in case you didn't before

c:\windows\system32\ou3viewer.dll

I see what's causing your PC problem, it isn't malware related so should be easy to fix. Do the following :

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


You are also using two anti-virus programs, AntiVir PersonalEdition Classic and Norton Anti-Virus, this is a really bad idea as it can lead to conflicts, PC slow down, and shut down your PC(which is happening I see). DO NOT uninstall one of the programs yet. Please tell me which anti-virus program you want to use and we will remove it in the next reply. I recommend keeping AntiVir.

So in your next reply I need to see the following : tell me if you deleted that file, the HijackThis Uninstall List, and tell me which anti-virus program you want to keep(make sure you dont uninstall one yet).

Capt'n Midnight

CiaranC wrote:

I know its a faux pas to say this, but would you not just be tempted to install Ubuntu and leave all this crap behind, instead of spending hours with crappy anti malware tools?

faux pas indeed :mad:

Don't forget to shutdown the laptop instead of restarting it, in case there is junk running in the background.

another option is to put the drive in as a slave in another machine and use that copy of windows to scan it. of course if the windows registry has been broken then not even reinstalling over the top is guaranteed to sort out the problems

kubuntu ftw

nanthini

thank u very much for the prompt reply.. i list u the details as u asked me to.
1) i deleted the file d:\windows\system32\ou3viewer.dll
2)the hijack this uinstall list is
ACDSee
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
AnswerWorks Runtime
Avira AntiVir PersonalEdition Classic
Bruce's Unusual Typing Wizard, Version 1.3.1
ccCommon
DivX Player
EasyCleaner
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel(R) Extreme Graphics Driver Software
Intel(R) PRO Network Adapters and Drivers
Internet Worm Protection
Java 2 Runtime Environment Standard Edition v1.3
Java 2 SDK Standard Edition v1.3
jetAudio
Kawa Professional 5.0
K-Lite Codec Pack 2.77 Full
LiveReg (Symantec Corporation)
Macromedia Flash 5
Microsoft Office XP Professional with FrontPage
Microsoft Visual Studio 6.0 Professional Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (2.0)
My Web Search (My Fun Cards)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Realtek AC'97 Audio
Smart Link 56K Voice Modem
Sound Forge 4.5c Build-281
SPBBC
State Government Offices Payroll Installation
State Govt. Payroll Software
SymNet
SynaptiCAD Product Suite
Volo View Express
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 1a
WinRAR archiver
WinZip

3) i need only antivir in my system since my subscription to symantec is over.
as per ur advice i have not yet uninstalled symantec.

ActorSeeksJob

Thanks for doing that. Please do the following

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html

You also seem to be using an old version of Mozilla, you can update it here
http://www.mozilla.com/en-US/

You can also update Windows Media Player, your using an old version, can do it here
http://www.microsoft.com/windows/windowsmedia/player/download/download.aspx


Now for the real business

Please click Start > Control Panel > Add or Remove Programs > Remove My Web Search (My Fun Cards)

Now to remove all traces of Norton, you need to use a special tool as Norton doesn't uninstall well, meaning you often have traces of it left on your PC that will slow you down so much and cause a lot of problems.
So go to this link and do the following steps
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

So in your next reply I need to see the following : tell me how all the above went, in particular concerning Norton and if you had any problems with removing it. Also more importantly I need to see a new HijackThis log.

nanthini

sorry for being late in my reply.
i downloaded the symantec removal tool and removed. thanks a lot for that.
i have a slow dial up connection. so i am downloading adobe acrobat reader and mozilla firefox. its taking me a lot of time.
i also removed the websearch(funcards). i'll reply with the new hijack log after finishing all my downloads. thanks a lot.

nanthini

sorry for being late in my reply.
i downloaded the symantec removal tool and removed. thanks a lot for that.
i have a slow dial up connection. so i am downloading adobe acrobat reader and mozilla firefox. its taking me a lot of time.
i also removed the websearch(funcards). i'll reply with the new hijack log after finishing all my downloads. thanks a lot.

nanthini

sorry Im late in replying.

I updated mozilla and adobe acrobat reader.
I scanned "D:\" ,but when the scan starts the system reboots....
This is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:48:14 AM, on 6/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
\WINDOWS\System32\smss.exe
\WINDOWS\system32\winlogon.exe
\WINDOWS\system32\services.exe
\WINDOWS\system32\lsass.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\System32\svchost.exe
\WINDOWS\system32\spoolsv.exe
\Program Files\AntiVir PersonalEdition Classic\avguard.exe
\WINDOWS\Explorer.EXE
\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
\Program Files\Messenger\msmsgs.exe
\Program Files\AntiVir PersonalEdition Classic\sched.exe
\WINDOWS\system32\slserv.exe
\WINDOWS\system32\NOTEPAD.EXE
\PROGRA~1\WINZIP\winzip32.exe
\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - \Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - \WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUYYYYYYYYIN
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - Winlogon Notify: igfxcui - \WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SmartLinkService (SLService) - - \WINDOWS\SYSTEM32\slserv.exe


Thanks a lot.

ActorSeeksJob

We nearly finished.

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

Run HijackThis, click "Do a system scan only" and check these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUYYYYYYYYIN
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply please post a new HijackThis log, the Dr. Web CureIt report, and tell me if you had any trouble.

quinnd6

I still couldnt find either of those files even with hidden folders and tried avast but still no luck.
Anyone ever heard of netodragon.
DOes it stop connections ever?

ActorSeeksJob

please run the scans i asked for quinnd6
have not heard of netodragon doing that

nanthini

sorry for being late in reply.
Thanks a lot for helping me.

This is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:07 AM, on 6/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
\WINDOWS\System32\smss.exe
\WINDOWS\system32\winlogon.exe
\WINDOWS\system32\services.exe
\WINDOWS\system32\lsass.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\System32\svchost.exe
\WINDOWS\system32\spoolsv.exe
\Program Files\AntiVir PersonalEdition Classic\avguard.exe
\WINDOWS\Explorer.EXE
\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
\Program Files\Java\jre1.5.0\bin\jusched.exe
\Program Files\Messenger\msmsgs.exe
\Program Files\AntiVir PersonalEdition Classic\sched.exe
\WINDOWS\system32\slserv.exe
C:\HJK\HijackThis.exe
\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - \Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - \WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] \Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUYYYYYYYYIN
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - \Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - \Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - Winlogon Notify: igfxcui - \WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SmartLinkService (SLService) - - \WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - \Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

DrWeb.csv report:
when it asks for whether to cure i gave "Yes to All" .


VVSN.exe;C:\Program Files\VVSN;Adware.SaveNow;;
A0073551.exe;C:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP264;Adware.SaveNow;;
NDNuninstall6_38.exe;D:\WINDOWS;Adware.NewDotNet;;
rk.exe;D:\WINDOWS\system32;Program.ProxyOSS;;
A0069948.scr;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069952.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069954.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Trojan.Isbar.438;Deleted.;
A0069957.SCR;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069959.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069960.EXE;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069961.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Trojan.DownLoader.7028;Deleted.;
A0069963.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069966.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.MWS;;
A0069968.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069969.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0069972.EXE;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Websearch;;
A0069973.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Websearch;;
A0069975.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0070230.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.MWS;;
A0070231.DLL;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
A0070243.dll;D:\System Volume Information\_restore{AC2C8D13-A9DB-423E-B95A-2C3A26162D53}\RP263;Adware.Msearch;;
Process.exe;D:\SDFix\apps;Tool.Prockill;;
CloseIE.exe;E:\UTILITY\IE Assistant;Trojan.DownLoader.5476;Deleted.;



when iam in online ,a pop_up message stating that your system has critical errors and you want to check your registry for errors (using www.registrycleanerxp.com )is coming.

plz help me to rectify from that message,thanks.

ActorSeeksJob

Do this for me

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Run HijackThis, click "Do a system scan only" and check these entries

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUYYYYYYYYIN
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab


close all windows except for HijackThis and click "Fix checked".


Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


So in your next reply please post the HijackThis Uninstall List and the SmitfraudFix report.

nanthini

Thanks a lot for your prompt reply.sorry for delaying the replay-I will not be here for one week and i will post the information asked by u
after my return.

ActorSeeksJob

thats perfect since im off to spain for the week today
see ya then!!

nanthini

sorry for being late in reply.

I downloaded SmitfraudFix but i didn't find SmitfraudFix .exe file.
Plz help me.
This is new uninstall_list :
ACDSee
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
AnswerWorks Runtime
Apache Tomcat 5.0 (remove only)
Avira AntiVir PersonalEdition Classic
Bruce's Unusual Typing Wizard, Version 1.3.1
DivX Player
EasyCleaner
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel(R) Extreme Graphics Driver Software
Intel(R) PRO Network Adapters and Drivers
J2SE Development Kit 5.0
J2SE Runtime Environment 5.0
Java 2 Runtime Environment Standard Edition v1.3
Java 2 SDK Standard Edition v1.3
jetAudio
Kawa Professional 5.0
K-Lite Codec Pack 2.77 Full
Macromedia Flash 5
Microsoft Office XP Professional with FrontPage
Microsoft Visual Studio 6.0 Professional Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
Mozilla Firefox (2.0.0.4)
Realtek AC'97 Audio
Smart Link 56K Voice Modem
Sound Forge 4.5c Build-281
State Government Offices Payroll Installation
State Govt. Payroll Software
SynaptiCAD Product Suite
Volo View Express
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 1a
WinRAR archiver
WinZip

Thanks.

ActorSeeksJob

Do this instead

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also send me a new HijackThis log along with the ComboFix log.

nanthini

Sorry for being late.

ComboFix log:

"Administrator" - 2007-07-15 10:12:10 - ComboFix 07-07-09.3 - Service Pack 1 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


\WINDOWS\NDNuninstall6_38.exe
\WINDOWS\NDNuninstall7_14.exe


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-09 22:24 51,200 --a

---

\WINDOWS\nircmd.exe
2007-07-08 11:24 <DIR> d

---

\SmitfraudFix
2007-07-08 11:01 883,963 --a

---

\SmitfraudFix.exe
2007-07-07 21:09 34,885 --a

---

\WINDOWS\system32\eraseme_76574.exe
2007-06-23 07:12 <DIR> d

---

\DOCUME~1\ADMINI~1\DoctorWeb
2007-06-22 18:17 <DIR> d

---

\Program Files\Apache Software Foundation
2007-06-21 10:45 <DIR> d

---

\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-18 18:46 <DIR> d--hs---- \FOUND.006
2007-06-18 12:04 <DIR> d

---

\Program Files\SpywareGuard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 06:54:16

---

d

---

w \Program Files\Paparazzi
2007-05-27 05:39:16

---

d

---

w \Program Files\ActionCube
2007-05-27 05:18:48

---

d

---

w \Program Files\Fizzball
2007-04-22 13:17:30 1,156 ----a-w \WINDOWS\mozver.dat
2007-04-22 12:47:40 0 ----a-w \WINDOWS\nsreg.dat
2006-06-04 14:31:44 1,682 --sha-w \WINDOWS\system32\KGyGaAvL.sys
2006-06-04 14:31:44 56 --sh--r \WINDOWS\system32\28FA93C398.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a

---

\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2006-06-04 20:01 770048 -ra

---

d:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-06-22 18:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2002-08-29 03:41]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=D:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\TCWIN45\PIPELINE\remind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 \PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"D:\Program Files\Save\Save.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
\Program Files\Winamp\winampa.exe


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 10:13:17
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 10:13:31
\ComboFix-quarantined-files.txt ... 2007-07-15 10:13

--- E O F ---



New hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:05 AM, on 7/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
\WINDOWS\System32\smss.exe
\WINDOWS\system32\winlogon.exe
\WINDOWS\system32\services.exe
\WINDOWS\system32\lsass.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\System32\svchost.exe
\WINDOWS\system32\spoolsv.exe
\Program Files\AntiVir PersonalEdition Classic\avguard.exe
\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
\Program Files\Java\jre1.5.0\bin\jusched.exe
\Program Files\Messenger\msmsgs.exe
\Program Files\AntiVir PersonalEdition Classic\sched.exe
\WINDOWS\system32\slserv.exe
\WINDOWS\explorer.exe
C:\HJK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - \Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - \WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] \Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - \Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - \Program Files\Java\jre1.5.0\bin\npjpi150.dll
O20 - Winlogon Notify: igfxcui - \WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - \Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SmartLinkService (SLService) - - \WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - \Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Thanks.

ActorSeeksJob

Try not take so long between post's as it makes this a lot harder to do since some of the infections will invite their friends to your PC

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  \WINDOWS\system32\eraseme_76574.exe
  \FOUND.006
  
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


Go to this site:
http://www.virustotal.com/en/indexx.html
On top you'll find 'Browse'
Click the browse button and browse to the file:

\WINDOWS\system32\28FA93C398.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


So in your next reply please post the following : the SDFix report, the OTMoveIt results, the results of that file I asked you to scan, and tell me how your PC is running now and if you have any problems.