Dear LS CalamityJane,
I need your help. I recently (last Monday) received a virus on my computer because I downloaded some video codec that I shouldn't have. The original virus was doing the following:
1. A warning appears in a dialogue box of Microsoft Internet Explorer showing warning: w32.myzor.fk@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected computer.
2. There is also a virus alert running on my bottom right toolbar saying your computer is infected.
I googled this and found your response here:
http://www.lavasoftsupport.com/index.php?showtopic=405
I followed the steps as closely as possible (Ran Ewido, Ran Smitfraud, Ran Panda, etc. I even ran Ad-Aware). Since then I have gotten rid of the symptoms I describe above but still get popups every now and then.
The popups say one of the following:
1. Malacious Software Removal Wizard
Warning: Efficient anti-virus protection software was not found running on this computer. Anti-virus software protects your computer from destructive computer viruses, Internet Worms and other online security threats.
Immediate anti-virus scan is strongly recommended to prevent files corruption and loss of documents caused by viruses, spyware and trojan infections.
To scan your computer for viruses, spyware, trojans and other malicious objects please click the 'Next' button below.
2. Spyware Removal Wizard (with the same description as above)
3. Notice: Your computer has tracks of all adult sites you had visited. In most cases, you are not even aware of spyware, adware and tracker programs that get installed by themselves, violate your online privacy and could compromise your private life.
These files leave tracks of your online behavior and even compromise your credit card's security. It is possible to clean up all spyware, adware and temporary records of your computer to remove these tracks.
Would you like to install Ultimate Defender to check your computer for free? (Recommended)
I am worried about using my computer for any banking right now because I am afraid of the line "It attempts to steal passwords and private information from the infected computer."
I also have disabled all cookies, deleted the old ones, and have it prompt for me.
Our IT folks won't return my calls now. So I really need your help!!! You seem to be able to answer everybodies questions. Here is a fresh HiJackThis log. Please help me LSCJ!!! If anybody else can help too, I am eternally grateful!!!
-----------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:51:23 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Reflection\R8win.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jangel\Desktop\Virus August 27\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AMS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: (no name) - {6BEF7157-3D48-0BED-2B99-05DD3830FAC3} - C:\WINDOWS\system32\wwdgsnf.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [qtecyjc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qtecyjc.dll,wzvuqt
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\neoteris\secure application manager\gapsp.dll' missing
O15 - Trusted Zone: epm.ams.com
O15 - Trusted Zone: extranet.ams.com
O16 - DPF: XMS - http://xpense.ams.com/expense/Applets/xms_ie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098111584324
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154629103451
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AABD59E3-9FA0-49CF-B057-1BEE9BE12EFD} (CorasWorks Client) - https://www.cgishare.com/sites/mmt/_wpresou...b6/cwclient.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ams.com
O17 - HKLM\Software\..\Telephony: DomainName = ams.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ams.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Full Version: LS CalamityJane Help
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive General Support Issues
Adaware does not detect that variant yet. It is not a virus but a Hijacker of the "Smitfraud" family that displays a fake notice that you are infected to fool you into buying some fraudlent antispyware program.
There is no such thing as the "w32.myzor.fk@yf" virus. The fraudulent hijacker giving your the warning is the real infection and it is just trying to scare you into paying money for it to remove the fake infection they describe. So please do not panic.
You have some files I need to examine further
Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from plhwarrenj at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files
Files to attach for upload:
C:\WINDOWS\system32\wwdgsnf.dll
C:\WINDOWS\system32\qtecyjc.dll
C:\WINDOWS\system32\wwdgsnf.dll
C:\WINDOWS\System32\Fast.exe
(Do not post HJT logs there as they will not get dealt with)
You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.
......................
I also need to see the following scan logs:
1. Ad-Aware Scan log
2. Ewido scan log
3. Rapport.txt (C:\Rapport.txt) which is the log created by SmitfraudFix
4. Panda scan log
If you would post those please in your next reply in this topic after uploading the requested files.
There is no such thing as the "w32.myzor.fk@yf" virus. The fraudulent hijacker giving your the warning is the real infection and it is just trying to scare you into paying money for it to remove the fake infection they describe. So please do not panic.
You have some files I need to examine further
Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from plhwarrenj at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files
Files to attach for upload:
C:\WINDOWS\system32\wwdgsnf.dll
C:\WINDOWS\system32\qtecyjc.dll
C:\WINDOWS\system32\wwdgsnf.dll
C:\WINDOWS\System32\Fast.exe
(Do not post HJT logs there as they will not get dealt with)
You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.
......................
I also need to see the following scan logs:
1. Ad-Aware Scan log
2. Ewido scan log
3. Rapport.txt (C:\Rapport.txt) which is the log created by SmitfraudFix
4. Panda scan log
If you would post those please in your next reply in this topic after uploading the requested files.
QUOTE(LS CalamityJane @ Aug 30 2006, 08:50 PM) 
I also need to see the following scan logs:
1. Ad-Aware Scan log
2. Ewido scan log
3. Rapport.txt (C:\Rapport.txt) which is the log created by SmitfraudFix
4. Panda scan log
If you would post those please in your next reply in this topic after uploading the requested files.
1. Ad-Aware Scan log
2. Ewido scan log
3. Rapport.txt (C:\Rapport.txt) which is the log created by SmitfraudFix
4. Panda scan log
If you would post those please in your next reply in this topic after uploading the requested files.
CalamityJane,
I uploaded the files you requested on the other site.
Here are the logs you requested. Again, thank you soooooo much. I think we should start selling t-shirts that say I Heart CalamityJane. :-)
-------------------------------------------------------------------------------------------------------------------
1) Ad-Aware Scan Log
Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, August 30, 2006 11:28:38 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R121 28.08.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):19 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
8-30-2006 11:28:38 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\jangel\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\jangel\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-682003330-1383384898-1801674531-72438\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 584
ThreadCreationTime : 8-31-2006 3:14:18 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 664
ThreadCreationTime : 8-31-2006 3:14:19 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1236
ThreadCreationTime : 8-31-2006 3:14:20 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1332
ThreadCreationTime : 8-31-2006 3:14:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1344
ThreadCreationTime : 8-31-2006 3:14:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1492
ThreadCreationTime : 8-31-2006 3:14:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1552
ThreadCreationTime : 8-31-2006 3:14:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1596
ThreadCreationTime : 8-31-2006 3:14:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1636
ThreadCreationTime : 8-31-2006 3:14:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1784
ThreadCreationTime : 8-31-2006 3:14:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 232
ThreadCreationTime : 8-31-2006 3:14:22 AM
BasePriority : Normal
#:12 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 236
ThreadCreationTime : 8-31-2006 3:14:22 AM
BasePriority : Normal
FileVersion : 4.10.47.3
ProductVersion : 4.10.47.3
ProductName : Dell Wireless WLAN Card Wireless Network Controller
CompanyName : Dell Inc.
FileDescription : Dell Wireless WLAN Card Wireless Network Controller
InternalName : bcmwltry.exe
LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.
OriginalFilename : bcmwltry.exe
#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 296
ThreadCreationTime : 8-31-2006 3:14:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:14 [scardsvr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 332
ThreadCreationTime : 8-31-2006 3:14:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management Server
InternalName : SCardSvr.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SCardSvr.exe
#:15 [guard.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 1008
ThreadCreationTime : 8-31-2006 3:14:37 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware guard
InternalName : ewido anti-spywareguard
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : guard.exe
#:16 [frameworkservice.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1060
ThreadCreationTime : 8-31-2006 3:14:37 AM
BasePriority : Normal
FileVersion : 3.5.5.438
ProductName : McAfee Common Framework
CompanyName : McAfee, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : Framework.exe
#:17 [mcshield.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1168
ThreadCreationTime : 8-31-2006 3:14:40 AM
BasePriority : High
#:18 [vstskmgr.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1200
ThreadCreationTime : 8-31-2006 3:14:40 AM
BasePriority : Normal
#:19 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1272
ThreadCreationTime : 8-31-2006 3:14:41 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:20 [naprdmgr.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1692
ThreadCreationTime : 8-31-2006 3:14:41 AM
BasePriority : Normal
FileVersion : 3.5.5.438
ProductName : McAfee Common Framework
CompanyName : McAfee, Inc.
FileDescription : NAI Product Manager
InternalName : Product Manager
LegalCopyright : Copyright© 2000-2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : naPrdMgr.exe
#:21 [spkrmon.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 1740
ThreadCreationTime : 8-31-2006 3:14:42 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : spkrmon Module
FileDescription : SoundMAX SpeakerMonitor service
InternalName : spkrmon
LegalCopyright : Copyright 2003
OriginalFilename : spkrmon.EXE
#:22 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1908
ThreadCreationTime : 8-31-2006 3:14:42 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:23 [fast.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 480
ThreadCreationTime : 8-31-2006 3:14:42 AM
BasePriority : Normal
FileVersion : 5.1.3564.0 (Lab06_DEV(lamadio).011003-1729)
ProductVersion : 5.1.3564.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Super Fast User Switcher
InternalName : Fast
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Fast.EXE
#:24 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1628
ThreadCreationTime : 8-31-2006 3:14:49 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2564
ThreadCreationTime : 8-31-2006 3:14:57 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:26 [taskswitch.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2740
ThreadCreationTime : 8-31-2006 3:14:59 AM
BasePriority : Normal
#:27 [shstat.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 2748
ThreadCreationTime : 8-31-2006 3:14:59 AM
BasePriority : Normal
#:28 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 2756
ThreadCreationTime : 8-31-2006 3:14:59 AM
BasePriority : Normal
FileVersion : 3.5.5.438
ProductName : McAfee Common Framework
CompanyName : McAfee, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe
#:29 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2780
ThreadCreationTime : 8-31-2006 3:14:59 AM
BasePriority : Normal
FileVersion : 5.4.101.113
ProductVersion : 5.4.101.113
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright © 1999-2002 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe
#:30 [wltray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2816
ThreadCreationTime : 8-31-2006 3:14:59 AM
BasePriority : Normal
FileVersion : 4.10.47.3
ProductVersion : 4.10.47.3
ProductName : Dell Wireless WLAN Card Wireless Network Tray Applet
CompanyName : Dell Inc.
FileDescription : Dell Wireless WLAN Card Wireless Network Tray Applet
InternalName : wltray.exe
LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.
OriginalFilename : wltray.exe
#:31 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2848
ThreadCreationTime : 8-31-2006 3:15:00 AM
BasePriority : Normal
FileVersion : 6.0.5.20
ProductVersion : 6.0.5.20
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:32 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2864
ThreadCreationTime : 8-31-2006 3:15:00 AM
BasePriority : Normal
FileVersion : 7.1
ProductVersion : QuickTime 7.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe
#:33 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2944
ThreadCreationTime : 8-31-2006 3:15:00 AM
BasePriority : Normal
FileVersion : 6.0.5.20
ProductVersion : 6.0.5.20
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:34 [hkcmd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2972
ThreadCreationTime : 8-31-2006 3:15:00 AM
BasePriority : Normal
FileVersion : 3.0.0.4410
ProductVersion : 7.0.0.4410
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : HKCMD.EXE
#:35 [igfxpers.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3000
ThreadCreationTime : 8-31-2006 3:15:00 AM
BasePriority : Normal
FileVersion : 3.0.0.4410
ProductVersion : 7.0.0.4410
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : persistence Module
InternalName : PERSISTENCE
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : IGFXPERS.EXE
#:36 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3012
ThreadCreationTime : 8-31-2006 3:15:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:37 [ewido.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 3040
ThreadCreationTime : 8-31-2006 3:15:01 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware
InternalName : ewido anti-spyware
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : ewido.exe
#:38 [aim.exe]
FilePath : C:\PROGRA~1\AIM\
ProcessID : 3116
ThreadCreationTime : 8-31-2006 3:15:01 AM
BasePriority : Normal
FileVersion : 5.9.3861
ProductVersion : 5.9.3861
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2005 America Online, Inc.
OriginalFilename : AIM.EXE
#:39 [igfxsrvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3124
ThreadCreationTime : 8-31-2006 3:15:01 AM
BasePriority : Normal
FileVersion : 3.0.0.4410
ProductVersion : 7.0.0.4410
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxsrvc Module
InternalName : IGFXSRVC
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : IGFXSRVC.EXE
#:40 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 3136
ThreadCreationTime : 8-31-2006 3:15:01 AM
BasePriority : Normal
FileVersion : 5.0.1.13
ProductVersion : 5.0.1.13
ProductName : Alps Pointing-device Driver for Windows NT/2000
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000
InternalName : Alps Pointing-device Driver for Windows NT/2000
LegalCopyright : Copyright © 1998-2001 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe
#:41 [outlook.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 3812
ThreadCreationTime : 8-31-2006 3:15:26 AM
BasePriority : Normal
#:42 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\OFFICE11\
ProcessID : 3584
ThreadCreationTime : 8-31-2006 3:15:47 AM
BasePriority : Normal
#:43 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3972
ThreadCreationTime : 8-31-2006 3:17:11 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:44 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3624
ThreadCreationTime : 8-31-2006 3:21:14 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jangel@statcounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:jangel@statcounter.com/
Expires : 8-29-2011 3:42:14 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 20
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 20
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20
11:41:36 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:58.440
Objects scanned:153379
Objects identified:1
Objects ignored:0
New critical objects:1
-----------------------------------------------------------------------------------------------------------------------
2) Ewido scan log
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:26:37 AM 8/31/2006
+ Scan result:
C:\Program Files\Enterasys Networks\Aurorean\IRConnect.exe -> Heuristic.Win32.Dialer : Ignored.
::Report end
---------------------------------------------------------------------------------------------------------------------------
3. Rapport.txt
SmitFraudFix v2.81
Scan done at 0:35:03.54, Thu 08/31/2006
Run from C:\Documents and Settings\jangel\Desktop\Virus August 27\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
----------------------------------------------------------------------------------------------------------------------------
4) Panda Scan Log
Incident Status Location
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2218.exe
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\jangel\Cookies\jangel@go[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jangel\Desktop\Virus August 27\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\jangel\Local Settings\Application Data\6526aaf6.exe
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\jangel\Local Settings\Temp\Cookies\jangel@ccbill[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\jangel\Local Settings\Temp\Cookies\jangel@go[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\jangel\Local Settings\Temp\Cookies\jangel@searchportal.information[1].txt
----------------------------------------------------------------------------------------------------------------------------
Again, thank you!!!!
Open HijackThis and do a *system scan only*
When it finishes, place a checkmark next to these entries, then press the *fix checked* button
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: (no name) - {6BEF7157-3D48-0BED-2B99-05DD3830FAC3} - C:\WINDOWS\system32\wwdgsnf.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [qtecyjc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qtecyjc.dll,wzvuqt
Delete these files and folder (if found. Media-Codec may have already been deleted by SmitfraudFix)
C:\Documents and Settings\jangel\Local Settings\Application Data\6526aaf6.exe
C:\WINDOWS\System32\6526aaf6.exe
C:\Program Files\Media-Codec
C:\WINDOWS\system32\qtecyjc.dll
C:\WINDOWS\system32\wwdgsnf.dll
Reboot your PC. Let me know if that resolves the problem?
When it finishes, place a checkmark next to these entries, then press the *fix checked* button
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: (no name) - {6BEF7157-3D48-0BED-2B99-05DD3830FAC3} - C:\WINDOWS\system32\wwdgsnf.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [qtecyjc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qtecyjc.dll,wzvuqt
Delete these files and folder (if found. Media-Codec may have already been deleted by SmitfraudFix)
C:\Documents and Settings\jangel\Local Settings\Application Data\6526aaf6.exe
C:\WINDOWS\System32\6526aaf6.exe
C:\Program Files\Media-Codec
C:\WINDOWS\system32\qtecyjc.dll
C:\WINDOWS\system32\wwdgsnf.dll
Reboot your PC. Let me know if that resolves the problem?
CalamityJane,
It seems to have worked. You really do rock. Thank you sooooooooo much.
It seems to have worked. You really do rock. Thank you sooooooooo much.
You're quite welcome! Glad we could help
Some final cleanup and prevention recomendations follow.
You can go ahead and delete any special tools we used (SmitfraudFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.
Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.
Temporary Files
Temporary Internet Files
Recycle Bin
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................
I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620
I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/
And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
Some final cleanup and prevention recomendations follow.
You can go ahead and delete any special tools we used (SmitfraudFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.
Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.
Temporary Files
Temporary Internet Files
Recycle Bin
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................
I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help
.How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620
I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/
And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.