# I need help cleaning my computer



## huxley-market (May 25, 2008)

I have a bunch of trojan horses, and these win 32 things.  plus a spy ware thing attached itself , spy master something. 

I use avast for my anti-virus, but it didnt stop it, and I dont really know how to remove them , I dont want to just delete it, I might end up doing more harm than good. 

so what should I do?


----------



## computeruler (May 25, 2008)

superantispyware free edition will sufice


----------



## ceewi1 (May 25, 2008)

Post a HijackThis log:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
_Most of what it lists will be harmless or even essential, don't fix anything yet._


----------



## cohen (May 25, 2008)

AVG 8.0 is good protection

Also do this:

**NOTE** CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

*Download CCleaner from here to clean temp files from your computer*.

Double click on the file to start the installation of the program.
Select your language and click *OK*, then *next*.
Read the license agreement and click *I Agree*.
Click *next* to use the default install location. Click *Install* then *finish* to complete installation.
Double click the *CCleaner* shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted.  (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced." 
*deselect* "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click *Run Cleaner* to run the program.
*Caution*: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After *CCleaner* has completed its process, click *Exit*.


----------



## G25r8cer (May 25, 2008)

Nice double post!! Ccleaner wont fix anything but will help to clean it out. Stop spamming with your CCleaner crap!


----------



## cohen (May 25, 2008)

g25racer said:


> Nice double post!! Ccleaner wont fix anything but will help to clean it out. Stop spamming with your CCleaner crap!



i'm not - in another thread it actually fixed the problem!


----------



## G25r8cer (May 25, 2008)

Srry but seeing the same crap gets very annoying.


----------



## ceewi1 (May 25, 2008)

cohen said:


> i'm not - in another thread it actually fixed the problem!


So you therefore conclude that it will fix every problem, including ones like this where no information has yet been provided ???


----------



## G25r8cer (May 25, 2008)

^^ LOL cohen is trying to help but in fact is wasting people time


----------



## cohen (May 25, 2008)

i'm just saying it can solve some of the problems....


----------



## G25r8cer (May 25, 2008)

Not really  All it does is clean out temp files to save space. Thats it


----------



## cohen (May 25, 2008)

g25racer said:


> Not really  All it does is clean out temp files to save space. Thats it



not just that cleans out other things as well - it is worth a try and on another thread it did help!


----------



## G25r8cer (May 25, 2008)

Helps but doesnt solve the real issue which is an infection


----------



## cohen (May 25, 2008)

g25racer said:


> Helps but doesnt solve the real issue which is an infection



could do - worth a try.


----------



## G25r8cer (May 25, 2008)

I guess


----------



## Buzz1927 (May 25, 2008)

cohen said:


> See


No, I don't "see", if you want to piss about, do it in off-topic, not here!


----------



## Wayneous (May 25, 2008)

comp has gone real slow... got a pop up saying my comp might be infected with the latest version of sypware.cyberlog-x

what should i do to fix this please????


----------



## cohen (May 25, 2008)

Wayneous said:


> comp has gone real slow... got a pop up saying my comp might be infected with the latest version of sypware.cyberlog-x
> 
> what should i do to fix this please????



Delete your posts and create "your own' thread!


----------



## huxley-market (May 25, 2008)

ceewi1 said:


> Post a HijackThis log:
> 
> Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.
> 
> ...



Ok, I did what you asked. here is the copy paste stuff. 
(I would just like to say Thanks  you guys. And understand that I'm not the most computer educated guy. )


 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:57 AM, on 5/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A551ACB-60F8-44F5-BC65-36F44E448776} - C:\WINDOWS\System32\qoMfgGyv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\System32\fccddccY.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BMaf7b56b0] Rundll32.exe "C:\WINDOWS\System32\teyqibol.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Steph\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?101d4ec7a8ba474ab733853bbe3f1df9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?101d4ec7a8ba474ab733853bbe3f1df9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: fccddccY - C:\WINDOWS\SYSTEM32\fccddccY.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 8144 bytes



so what's my next step?  Thanks


----------



## GameMaster (May 25, 2008)

Download *SDFix* and save it to your Desktop. 

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix) 

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, the Advanced Options Menu should appear; 
Select the first option, to run Windows in Safe Mode, then press *Enter*. 
Choose your usual account. 
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process. 
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons. 
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum). 
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log 


*Download and Run ComboFix* 
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.* 

*Download this file* from one of the three below listed places : 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
http://www.forospyware.com/sUBs/ComboFix.exe 
http://subs.geekstogo.com/ComboFix.exe 

Then double click *combofix.exe* & follow the prompts. 
When finished, it shall produce *a log* for you. *Post that log* in your next reply 
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* 

Combofix should never take more that 20 minutes including the reboot if malware is detected. 
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue. 
If that happened we want to know, and also what process you had to end.

In next post please post:

SDFix report
ComboFix report


----------



## huxley-market (May 26, 2008)

GameMaster said:


> Download *SDFix* and save it to your Desktop.
> 
> Double click *SDFix.exe* and it will extract the files to %systemdrive%
> (Drive that contains the Windows Directory, typically C:\SDFix)
> ...



ok, i did what you asked, here is the report of the SDfix:

Rebooting


*Checking Files *: 

No Trojan Files Found




Folder C:\Program Files\AntiSpywareMaster - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Temp\1cb - Removed


Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:39:57
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files *:



*Files with Hidden Attributes *:

Sun  3 Sep 2006           848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 13 Apr 2008   258,998,272 A.SH. --- "C:\System Volume Information\_restore{DBD29183-E1DA-442D-AFFB-41A1B3CD2AAE}\RP236\A0200517.sys"
Sun 13 Apr 2008   258,998,272 A.SH. --- "C:\System Volume Information\_restore{DBD29183-E1DA-442D-AFFB-41A1B3CD2AAE}\RP236\A0201517.sys"
Sun 10 Feb 2008             0 A..H. --- "C:\Documents and Settings\Steph\Local Settings\Temp\5f765cbhp65cb0.exe"
Sat 21 Jun 2003       377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"

*Finished!*

--------------------------------------------------------------------

here is the hack this report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:56 PM, on 5/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {24F372CC-44AC-4A5F-8719-A2F97C93DB1C} - C:\WINDOWS\System32\qoMfgGyv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\System32\fccddccY.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BMaf7b56b0] Rundll32.exe "C:\WINDOWS\System32\teyqibol.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?101d4ec7a8ba474ab733853bbe3f1df9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?101d4ec7a8ba474ab733853bbe3f1df9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: fccddccY - C:\WINDOWS\SYSTEM32\fccddccY.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 7898 bytes




But there is still some thing going on:  c/windows/system32.gomfgGYv.dll

that clicks on when I start up explorer.


----------



## huxley-market (May 26, 2008)

ok the combofix log:  

ComboFix 08-05-25.3 - Steph 2008-05-25 21:05:23.1 - *FAT32*x86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.78 [GMT -3:00]
Running from: C:\Documents and Settings\Steph\Desktop\installed software\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMaf7b56b0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\efcASiHb.dll
C:\WINDOWS\system32\fccddccY.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rrahicxa.ini
C:\WINDOWS\system32\ssqOEVMD.dll
C:\WINDOWS\system32\tunrjghs.ini
C:\WINDOWS\system32\vyGgfMoq.ini
C:\WINDOWS\system32\vyGgfMoq.ini2

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSLIBRARY
-------\Service_SysLibrary


(((((((((((((((((((((((((   Files Created from 2008-04-26 to 2008-05-26  )))))))))))))))))))))))))))))))
.

2008-05-26 14:38 . 2008-05-26 14:38	<DIR>	d--hs----	C:\FOUND.028
2008-05-25 21:00 . 2008-05-25 21:00	114,176	--a------	C:\WINDOWS\system32\uxawohwl.dll
2008-05-25 20:59 . 2008-05-25 20:59	135,168	--a------	C:\WINDOWS\system32\afrasfgd.dll
2008-05-25 20:53 . 2008-05-25 20:54	128,000	--a------	C:\WINDOWS\system32\nhkqvlqo.dll
2008-05-25 20:27 . 2008-05-25 20:27	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-05-25 20:27 . 2008-05-25 20:27	<DIR>	d--------	C:\SDFix'
2008-05-25 20:17 . 2008-05-25 20:17	<DIR>	d--hs----	C:\FOUND.032
2008-05-25 19:17 . 2008-05-25 19:17	<DIR>	d--------	C:\Program Files\Webroot
2008-05-25 19:17 . 2008-05-25 19:17	<DIR>	d--------	C:\Documents and Settings\Steph\Application Data\Webroot
2008-05-25 19:09 . 2008-05-25 19:09	<DIR>	d--------	C:\Documents and Settings\Administrator
2008-05-25 15:03 . 2008-05-25 15:03	<DIR>	d--hs----	C:\FOUND.031
2008-05-25 11:55 . 2008-05-25 11:55	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-24 20:42 . 2008-05-24 20:42	<DIR>	d--hs----	C:\FOUND.030
2008-05-20 14:28 . 2008-05-20 14:28	<DIR>	d--hs----	C:\FOUND.027
2008-05-18 17:38 . 2008-05-18 17:38	<DIR>	d--hs----	C:\FOUND.029
2008-05-18 17:33 . 2008-05-18 17:33	371,712	--a------	C:\WINDOWS\system32\qoMfgGyv.dll
2008-05-18 17:29 . 2008-05-18 17:29	<DIR>	d--------	C:\WINDOWS\system32\podll
2008-05-18 17:29 . 2008-05-18 17:29	<DIR>	d--------	C:\WINDOWS\system32\DFE
2008-05-18 17:28 . 2008-05-18 17:28	<DIR>	d--------	C:\WINDOWS\system32\logXv01
2008-05-18 17:28 . 2008-05-18 17:28	<DIR>	d--------	C:\WINDOWS\system32\gcom
2008-05-18 17:28 . 2008-05-18 17:28	<DIR>	d--------	C:\Temp\dmpxp32
2008-05-18 17:28 . 2008-05-18 17:28	<DIR>	d--------	C:\Temp
2008-05-18 17:28 . 2008-05-18 17:28	371,549	--a------	C:\Temp\sCarp2030.exe
2008-05-11 16:57 . 2008-03-21 17:30	120,056	---------	C:\WINDOWS\system32\pxcpyi64.exe
2008-05-11 16:57 . 2008-03-21 17:30	118,520	---------	C:\WINDOWS\system32\pxinsi64.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 21:25	161,096	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2006-09-04 02:22	848	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F372CC-44AC-4A5F-8719-A2F97C93DB1C}]
2008-05-18 17:33	371712	--a------	C:\WINDOWS\System32\qoMfgGyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 17:28 68856]
"WebCamRT.exe"="" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-12-09 18:34 3545088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 14:14 35328]
"Device Detector"="DevDetect.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-23 18:13 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 07:06 79224]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-08-12 14:53 20480]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BMaf7b56b0"="C:\WINDOWS\System32\teyqibol.dll" [ ]

C:\Documents and Settings\Steph\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-08-28 18:55:41 19968]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 03:41 1511453 C:\Program Files\Messenger\msmsgs.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 15:29:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 21:20:26
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Steph\LOCALS~1\Temp\mc22.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2008-05-25 21:25:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-26 00:25:10

Pre-Run: 5,512,134,656 bytes free
Post-Run: 11,199,660,032 bytes free

128
-----------------------------------------------------------------





so guys what do i do now?


----------



## computeruler (May 26, 2008)

wait untill someone qualified can tell you what to remove but aperently you dont have any trojans! according to this anyways


----------



## GameMaster (May 26, 2008)

Some rogue anitmalware programs ( bad programs ) are deleted by SDFix, made this easier, though I really suspected on Trojans.

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\system32\afrasfgd.dll
> C:\WINDOWS\system32\afrasfgd.dll
> C:\WINDOWS\system32\nhkqvlqo.dll
> ...



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.* 

Please tell me, do you recognise those folders in C:/ : FOUND.030, FOUND.28...
What are they? What program created them? Did you create them?


----------



## huxley-market (May 26, 2008)

ok the avanger report: 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\afrasfgd.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\afrasfgd.dll" not found!
Deletion of file "C:\WINDOWS\system32\afrasfgd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\nhkqvlqo.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\qoMfgGyv.dll" not found!
Deletion of file "C:\WINDOWS\system32\qoMfgGyv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error: "C:\Temp\dmpxp32" is a folder, not a file!
Deletion of file "C:\Temp\dmpxp32" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
  --> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\Temp\sCarp2030.exe" deleted successfully.
Folder "C:\WINDOWS\system32\DFE" deleted successfully.
Folder "C:\WINDOWS\system32\podll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.



----------------------------------

I dont know what those C/found files are honestly.  I didnt create them. 


I have a question,  every time my windows boot up theres a error window that pops up it says.      

                          RUNDLL
           error loading c:/windows/system32/teyqibol.dll
    the specified module could not be found. 





so what does that mean exactly. 



thanks for all your help guys


----------



## GameMaster (May 26, 2008)

That means we didn't delete all the bad files.

Let's fix it all with HijackThis in the end.
Open HijackThis and choose *Do a system scan only.* Check these entries:

O2 - BHO: (no name) - {24F372CC-44AC-4A5F-8719-A2F97C93DB1C} - C:\WINDOWS\System32\qoMfgGyv.dll (file missing
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\System32\fccddccY.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0
O4 - HKLM\..\Run: [BMaf7b56b0] Rundll32.exe "C:\WINDOWS\System32\teyqibol.dll",s
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: fccddccY - C:\WINDOWS\SYSTEM32\fccddccY
Now close all open windows except the HijackThis and click *Fix checked.*
Reboot your computer.

I was stupid, didn't spot it was Vundo infection, I'd be sure in what to do immediately.
I hope you don't mind this process got a bit longer.

When done all suggested, run Avenger again but this time input this at the script:

```
Files to delete: 
C:\WINDOWS\System32\teyqibol.dll
C:\WINDOWS\System32\fccddccY.dll
```
Do as last time, post the log.
How's your system running now?


----------



## cohen (May 26, 2008)

computeruler said:


> wait untill someone qualified can tell you what to remove but aperently you dont have any trojans! according to this anyways



That is what gamemaster is doing!


----------



## huxley-market (May 26, 2008)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\System32\teyqibol.dll" not found!
Deletion of file "C:\WINDOWS\System32\teyqibol.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

---------------------------------

I tried to do what you asked. the hack this. you wanted me to select only the ones with the black dot next to it , right, 

well, i could only select :O15 - Trusted Zone: *.amaena.com
the 02 ones were not there. all the 015 were there, the 20 wasnt there. 


what I think happened with the system/teyqibol,  is that i clicked rename/move this one time when my avast poped up. 


and yes my pc is working much better,  i forget which program removed the spywaremaster but since then it's been working well,  but i know there is still some stuff to fix , cause i did a scan with avast and it said i have 10 infected files, i wish i could copy paste for you to see them but it doesnt allow that. 


so whats my next step ?


----------



## GameMaster (May 26, 2008)

Delete all 015 lines. I'm sorry, I was just too lazy and I wanted to post the answer fast so... It's hard to type like 15 times [*] 

Don't worry if you don't find some of the entries in HijackThis, that means it's removed. Fix what you found and reboot.

Also, I suggested two files to delete with Avenger; one is already deleted but what with another one? Where did it disappear?
It is important that this file gets deleted.
C:\WINDOWS\System32\*fccddccY.dll*


----------



## huxley-market (May 27, 2008)

GameMaster said:


> Delete all 015 lines. I'm sorry, I was just too lazy and I wanted to post the answer fast so... It's hard to type like 15 times [*]
> 
> Don't worry if you don't find some of the entries in HijackThis, that means it's removed. Fix what you found and reboot.
> 
> ...



dont worry about it. You've been very helpful, serious.  ok, I did what you asked. here is the report of avenger:




Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\System32\fccddccY.dll" not found!
Deletion of file "C:\WINDOWS\System32\fccddccY.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.




plus when i start up my pc it has stoped doing that error thing the one with teyqibol.dll


so whats next for now?   plus after this is all done, I really need to learn how to protect my pc from this happening again. 


thanks


----------



## GameMaster (May 27, 2008)

Yep. To be sure, please scan with HijackThis again and post the log. 
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at Computer Forum are to help you, for your sake we would rather not have repeat customers. 

*1)* Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, if you haven't done that already. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable *Automatic Updates* under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly.  *I cannot stress enough how important this is.*

*2)* In order to protect yourself against spyware, you should consider installing and running the following *free *programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.  Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to *keep these programs up-to-date* and to *run them regularly*, as this can prevent a great deal of spyware hassle.

*3)* Please consider using an alternate browser.  Mozilla's Firefox browser is *fantastic*; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

*4)* Also make sure to *run your antivirus software regularly, and to keep it up-to-date.*
[OR]
I notice that you do not seem to be running antivirus software.  This is somewhat suicidal in today's digital world.  AVG makes an excellent *free *antivirus client, as do AntiVir or avast!.

Please make sure to *run your antivirus software regularly, and to keep it up-to-date.*

*5)* Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.


----------



## huxley-market (May 27, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:02 PM, on 5/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Final Draft 7\Final Draft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?101d4ec7a8ba474ab733853bbe3f1df9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?101d4ec7a8ba474ab733853bbe3f1df9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 6817 bytes




I do have a anti virus program on, I use avast , but I'm finding that it's not that great, I think I did try to download "AVG" but it was asking that I change my windows to some other windows xp that is like 200 something megabites,  so I didnt cause I was unsure about what it would do. so I didnt do it. 


I'll go read up on the tutotrials you gave me and download those protection software, and if I have any questions relating to them I'll send you a private msg.    thanks for all your help , my pc is working a 1000 times better from what it was like 3 days ago. thanks


----------



## G25r8cer (May 27, 2008)

If you find that avast is using too much cpu like I did then I recommend Nod32. Nod32 is a much smaller running antivirus and works a treat.


----------



## GameMaster (May 27, 2008)

Yeah...glad I could help. Your log is now clean ...enjoy!


----------



## huxley-market (May 27, 2008)

Ok, first off, I'm on another computer, in the house.        I think my computer crashed. I can't get windows screen. it loads up with the black dos pages , 2 of them, then it goes to a screen full of funny symbols. plus I can't even go into safe mode.  the only things I can do with it is go into setup( but i dont know what i can do with it there) plus f10 change the bootstraps (but dont know what that means. ) it's pxe boot using interuptor 18 ( if that helps but i can change them ) 

so is my computer done for or can i fix this on my own? 



i find it strange cause i had just cleaned it all up and was about to put all new protection stuff, what happend was i was on microsoft update page and had cannceled a update cause i had just read that i needed to be fully clean before uploading it ,so i canceled to wait to hear if i was all clean, then went back to upload after knowing i was good. but the page was different , so other upload and not the windows pack 2 ,  so refreshed my page , same thing, i decided to hit the restart button,  my computer restarted ok , it went to the blue scanning page , i wanted to skip it so i pressed esc, but it didnt skip , just stop, so i hit the restart button a second time, computer started , went throught the 2 dos pages but the 3rd page is all this computer symbols junk, 



any ideas how to fix that ?


----------



## cohen (May 28, 2008)

sounds like that it was an update that has stuffed windows.

You'll have to do a windows repair.


----------



## huxley-market (May 28, 2008)

cohen said:


> sounds like that it was an update that has stuffed windows.
> 
> You'll have to do a windows repair.


\



and how do i do that?  is it even possible for me to do that ?


----------



## huxley-market (May 29, 2008)

question,,, I'm on my computer in town,,, i 'm running on a bootleg windows , like i dont have a cd for windows , it's the windows that came with the computer from the pc store. 




I want to protect this computer, so my question is all those protection software, fire wall , anty virus, ect... is it ok for my riped copy of windows. 


note.. I will not download the windows upodates because thats what i think crashed my computer


----------



## G25r8cer (May 29, 2008)

^^ Bootleg? Are you using the key that came with your "real" xp disk?


----------



## computeruler (May 29, 2008)

avg works pretty good


----------



## huxley-market (May 29, 2008)

g25racer said:


> ^^ Bootleg? Are you using the key that came with your "real" xp disk?



i dont think so.. the xp I have is just the xp that the computer shop put on before i bought the computer, they probably upload a 100 computers with the same xp cd. 


so if my windows crashes I dont have a back up.. 

I'm very much considering switching to linux. but i need to do some research about it first


----------



## cohen (May 29, 2008)

huxley-market said:


> i dont think so.. the xp I have is just the xp that the computer shop put on before i bought the computer, they probably upload a 100 computers with the same xp cd.
> 
> 
> so if my windows crashes I dont have a back up..
> ...



The computer shop would have one copy per computer..... and you should have got a restore disc or something......


----------

