I'm having a problem getting rid of the W32.Myzor.FK@yf virus. I would appreciate any help you can give me. Here is my HijackThis logfile: Logfile of HijackThis v1.99.1 Scan saved at 1:07:27 PM, on 10/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\MMediaCodec\isamonitor.exe C:\Program Files\MMediaCodec\pmsngr.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\MMediaCodec\isamini.exe C:\Program Files\MMediaCodec\pmmon.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Common Files\AOL\1141110056\ee\AOLSoftware.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\svcwinra.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\resfilter32.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\Grisoft\AVG7\avgwb.dat C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\Reid\Desktop\HijackThis_v1.99.1.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\MMediaCodec\isaddon.dll O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\wnmtgqjd.dll (file missing) O2 - BHO: (no name) - {CC30006C-7ABE-46D8-B916-18E115993CD7} - C:\WINDOWS\assembly\temp\pm3sp.dll O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\MMediaCodec\iesplugin.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141110056\ee\AOLSoftware.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WhatsNewBot] NSYSCPLSTR.exe O4 - HKLM\..\Run: [typeconf] avpmondll.exe O4 - HKLM\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O4 - HKLM\..\Run: [plginit] C:\WINDOWS\svcwinra.exe O4 - HKLM\..\Run: [dmkki.exe] C:\WINDOWS\system32\dmkki.exe O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" "+b1" O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe" O4 - HKCU\..\Run: [Preliminary] prcmon.exe O4 - HKCU\..\Run: [SysSupport] Trayz.exe O4 - HKCU\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O20 - Winlogon Notify: pm3sp - C:\WINDOWS\assembly\temp\pm3sp.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Hello rdrake, Download SmitfraudFix.zip to the desktop from here * Extrat the files to the desktop. * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click smitfraudfix.cmd * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt. Post back with the contents of rapport.txt and a new HijackThis log.
awesome... thanks. it appears to be gone. SmitfraudFix rapport: SmitFraudFix v2.109 Scan done at 11:16:55.53, Thu 10/12/2006 Run from C:\Documents and Settings\Reid\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\exit Deleted C:\WINDOWS\system32\dpfwu.dll Deleted C:\Program Files\MMediaCodec\ Deleted C:\Program Files\VirusBurster\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 11:21:55 AM, on 10/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Common Files\AOL\1141110056\ee\AOLSoftware.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\svcwinra.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\resfilter32.exe C:\Documents and Settings\Reid\Desktop\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\wnmtgqjd.dll (file missing) O2 - BHO: (no name) - {8DB25907-4E58-445B-AC7E-68748D302539} - C:\WINDOWS\assembly\temp\pm3sp.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WhatsNewBot] NSYSCPLSTR.exe O4 - HKLM\..\Run: [typeconf] avpmondll.exe O4 - HKLM\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O4 - HKLM\..\Run: [plginit] C:\WINDOWS\svcwinra.exe O4 - HKLM\..\Run: [dmkki.exe] C:\WINDOWS\system32\dmkki.exe O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe" O4 - HKCU\..\Run: [Preliminary] prcmon.exe O4 - HKCU\..\Run: [SysSupport] Trayz.exe O4 - HKCU\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O20 - Winlogon Notify: pm3sp - C:\WINDOWS\assembly\temp\pm3sp.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Still not clean. You have Wareout, a keylogger, a rouge anti-spyware program and a few other bad files. Press Ctrl+Alt+Del > Processes tab > end these(if there): [bold]svcwinra.exe resfilter32.exe[/bold] Go to Add/Remove Programs and uninstall(if there): [bold]KillAndClean[/bold] <--rouge anti-spyware program [bold]ViewPoint Manager[/bold] <--If you didn't install. Delete these folders(if there): C:\Program Files\[bold]KillAndClean[/bold] C:\Program Files\[bold]Viewpoint[/bold] Download Fixwareout.exe from here. Download KillBox from here Do not run KillBox yet, will later in safe mode. [bold]Note[/bold]: Print or copy these instructions to Notepad. Close all windows before continuing. Open Fixwareout.exe Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. When prompted to restart, do so. After the restart, follow the prompts. If HijackThis doesn't open, manually open it. Run a scan only and check these. [bold]O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\wnmtgqjd.dll (file missing) O2 - BHO: (no name) - {8DB25907-4E58-445B-AC7E-68748D302539} - C:\WINDOWS\assembly\temp\pm3sp.dll O4 - HKLM\..\Run: [WhatsNewBot] NSYSCPLSTR.exe O4 - HKLM\..\Run: [typeconf] avpmondll.exe O4 - HKLM\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O4 - HKLM\..\Run: [plginit] C:\WINDOWS\svcwinra.exe O4 - HKLM\..\Run: [dmkki.exe] C:\WINDOWS\system32\dmkki.exe O4 - HKCU\..\Run: [Preliminary] prcmon.exe O4 - HKCU\..\Run: [SysSupport] Trayz.exe O4 - HKCU\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O20 - Winlogon Notify: pm3sp - C:\WINDOWS\assembly\temp\pm3sp.dll [/bold] Close all windows except HijackThis, then click "Fix checked". The wareout log will go here: C:\fixwareout\report.txt Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter). Open Killbox.exe. Check "Standard File Kill". In the "Full Path of File to Delete" box, copy and paste each of the following lines below [bold]one at a time[/bold]. Then click the red button with a white X after you enter each file. You will be prompted to confirm, click Yes. [bold]C:\WINDOWS\assembly\temp\pm3sp.dll C:\WINDOWS\system32\dmkki.exe C:\Program Files\Cf1728c00-zzuks\csrss.exe[/bold] Note: KillBox may prompt "File does not seem to exist". If so, continue with next file, but do not miss any. Plase post back with the contents of C:\fixwareout\report.txt and a new HijackThis log.
Ok, sorry it's taken me so long to reply. I hope you're still available to help me. Here is my fixwareout report: Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM "dmkki.exe"=- ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. And my HijackThis report: Logfile of HijackThis v1.99.1 Scan saved at 3:42:41 PM, on 11/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\svcwinra.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\resfilter32.exe C:\Documents and Settings\Reid\Desktop\Yeah\Unused Desktop Shortcuts\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lsucmqhk.dll (file missing) O2 - BHO: (no name) - {F5F61936-783C-4A61-80C3-76BB0654F1A9} - C:\WINDOWS\repair\ualasmvc.dll (file missing) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WhatsNewBot] NSYSCPLSTR.exe O4 - HKLM\..\Run: [typeconf] avpmondll.exe O4 - HKLM\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O4 - HKLM\..\Run: [plginit] C:\WINDOWS\svcwinra.exe O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" O4 - HKLM\..\Run: [TypeAgentL] C:\Program Files\TypeAgent\TypeAgent.exe O4 - HKCU\..\Run: [Preliminary] prcmon.exe O4 - HKCU\..\Run: [SysSupport] Trayz.exe O4 - HKCU\..\Run: [cf172] C:\Program Files\Cf1728c00-zzuks\csrss.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O20 - Winlogon Notify: ualasmvc - C:\WINDOWS\repair\ualasmvc.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Hello rdrake, good to hear from you again. Wareout is still present and I see an new keylogger too. Go here to download the trial version of [bold]AVG Anti-spyware[/bold]. Install and open AVGAS. Click "[bold]Update[/bold]" then click "[bold]Start update[/bold]". After updating, close AVGAS. [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet. Restart your computer in safe mode(press [bold]F8[/bold] upon boot, select "[bold]Safe Mode[/bold]" from menu and press [bold]Enter[/bold]). Open AVGAS and click "[bold]Scanner[/bold]". Click "[bold]Complete System Scan[/bold]". When it finishes scanning, set all items to "[bold]Quarantine[/bold]". Click "[bold]Apply All Actions[/bold]". Click "[bold]Save Report[/bold]" and save it to the desktop. Restart in normal mode. You need to run FixWareout again so I'll post some new instructions. Download [bold]FixWareout[/bold] from here. [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will have to restart during the fix. Open [bold]Fixwareout.exe[/bold]. Click [bold]Next[/bold] then [bold]Install[/bold]. Make sure "[bold]Run fixit[/bold]" is checked and click [bold]Finish[/bold]. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal. HijackThis will launch automatically. Click Scan, and check the following items(if there): [bold]O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lsucmqhk.dll (file missing) O2 - BHO: (no name) - {F5F61936-783C-4A61-80C3-76BB0654F1A9} - C:\WINDOWS\repair\ualasmvc.dll (file missing) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [WhatsNewBot] NSYSCPLSTR.exe O4 - HKLM\..\Run: [typeconf] avpmondll.exe O4 - HKLM\..\Run: [plginit] C:\WINDOWS\svcwinra.exe O4 - HKCU\..\Run: [Preliminary] prcmon.exe O4 - HKCU\..\Run: [SysSupport] Trayz.exe O20 - Winlogon Notify: ualasmvc - C:\WINDOWS\repair\ualasmvc.dll (file missing)[/bold] Make sure all windows except HjT are closed before clicking "Fix checked". [bold]Note[/bold]: That's not all the bad entires that could be fixed with HjT, but we'll see what AVGAS and Wareout will destroy before fixing them. Please post back with the AVGAS report, the contents of C:\fixwareout\report.txt and a new HijackThis log.
