Jump to content


Photo
- - - - -

Smart Security Trojan got me...I think


  • This topic is locked This topic is locked
22 replies to this topic

#1 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 23 May 2005 - 05:02 PM

I don't recognize what I thought was my home PC. The wallpaper is "red" w/ads for SmartSecurity. A "snim.dll" can't be found when I start up. Did some research which lead me to your site. Here's my log and I'd appreciate if you could help me regain control of my PC. Txs.

Logfile of HijackThis v1.99.1
Scan saved at 6:51:06 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crrl.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Cci.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Documents and Settings\John\Application Data\ersh.exe
C:\WINDOWS\System32\dderenv.exe
C:\WINDOWS\System32\?ttrib.exe
C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {99D54368-0118-55BE-9FED-B7883F55C2CF} - C:\WINDOWS\system32\atlht32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appgu.exe] C:\WINDOWS\system32\appgu.exe
O4 - HKLM\..\Run: [Internet Component] C:\WINDOWS\System32\nwapanim.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Ons] C:\WINDOWS\System32\Ahv.exe
O4 - HKLM\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKLM\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKLM\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Mgj] C:\WINDOWS\System32\Lop.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Tka.exe
O4 - HKLM\..\Run: [Hld] C:\WINDOWS\Qkg.exe
O4 - HKLM\..\Run: [Jtf] C:\WINDOWS\System32\Ect.exe
O4 - HKLM\..\Run: [Okr] C:\WINDOWS\Gcj.exe
O4 - HKLM\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKLM\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKLM\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKLM\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKLM\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKLM\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKLM\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKLM\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKLM\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKLM\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKLM\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKLM\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKLM\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKLM\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKLM\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKLM\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Ins] C:\WINDOWS\System32\Fss.exe
O4 - HKCU\..\Run: [Tsdt] C:\Documents and Settings\John\Application Data\ersh.exe
O4 - HKCU\..\Run: [IwoqRib4h] dderenv.exe
O4 - HKCU\..\Run: [Ugqtur] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [xservice] C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
O4 - HKCU\..\Run: [Bud] C:\WINDOWS\Tfa.exe
O4 - HKCU\..\Run: [Ekc] C:\WINDOWS\System32\Sov.exe
O4 - HKCU\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKCU\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKCU\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKCU\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKCU\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKCU\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKCU\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKCU\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKCU\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKCU\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKCU\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKCU\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKCU\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKCU\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKCU\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKCU\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKCU\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKCU\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKCU\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKCU\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKCU\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - Startup: WindowsUpdate40826[1].exe
O4 - Startup: winupdate30769450[1].exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://horse-active....ang/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4604
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O21 - SSODL: Meeting Component - {858D970D-ABF2-4C6A-B744-A0ABD268155A} - C:\WINDOWS\System32\unipjxpw.dll
O21 - SSODL: NTDBGTOOL - {5CE4279B-967E-422E-BF8A-9AA5BEA566CF} - C:\WINDOWS\System32\mmcbidft.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crrl.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 23 May 2005 - 09:05 PM

You have a few different problems in your log, I need you too download a few tools
Try and do all the following I ask, may seem like a bit, but most scans don't take too long to finish, with the exception of Ewidos
But it is a valuable tool to help eliminate the infections

==Download and UNZIP to desktop or a folder Cwsserviceremove.zip so you now have
cwserviceremove.reg extracted
We'll need this later
[attachment=239:attachment]

==Download and UNZIP to desktop or a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

===Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/.../DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
We'll need this later

==Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and UNZIP to a folder or desktop
Fixdesktop.zip
So you now have Fixdesktop.reg extracted

==Download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
* Save it to your desktop or a folder

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

Killbox file paths to copy and paste to Notepad between dotted lines
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\system32\uqjlv.dll
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\System32\dderenv.exe
C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
C:\WINDOWS\System32\unipjxpw.dll
C:\WINDOWS\System32\mmcbidft.dll
C:\Documents and Settings\John\Application Data\ersh.exe
C:\WINDOWS\system32\atlht32.dll
C:\WINDOWS\system32\appgu.exe
C:\WINDOWS\System32\nwapanim.exe
C:\WINDOWS\System32\Ahv.exe
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\Jlk.exe
C:\WINDOWS\Rnv.exe
C:\WINDOWS\System32\Lop.exe
C:\WINDOWS\Tka.exe
C:\WINDOWS\Qkg.exe
C:\WINDOWS\System32\Ect.exe
C:\WINDOWS\Gcj.exe
C:\WINDOWS\Kdb.exe
C:\WINDOWS\Nkj.exe
C:\WINDOWS\Tlp.exe
C:\WINDOWS\Dtg.exe
C:\WINDOWS\System32\Esm.exe
C:\WINDOWS\System32\Rfq.exe
C:\WINDOWS\Cbl.exe
C:\WINDOWS\System32\Jfj.exe
C:\WINDOWS\Fmj.exe
C:\WINDOWS\System32\Qiu.exe
C:\WINDOWS\Gbd.exe
C:\WINDOWS\System32\Jra.exe
C:\WINDOWS\Etg.exe
C:\WINDOWS\System32\Ifn.exe
C:\WINDOWS\Dnl.exe
C:\WINDOWS\System32\Csd.exe
C:\WINDOWS\Vkl.exe
C:\WINDOWS\Dnk.exe
C:\WINDOWS\System32\Dpu.exe
C:\WINDOWS\System32\Jhd.exe
C:\WINDOWS\Mnb.exe
C:\WINDOWS\System32\Fss.exe
C:\WINDOWS\Tfa.exe
C:\WINDOWS\System32\Sov.exe
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\Jlk.exe
C:\WINDOWS\Rnv.exe
C:\WINDOWS\Kdb.exe
C:\WINDOWS\Nkj.exe
C:\WINDOWS\Tlp.exe
C:\WINDOWS\Dtg.exe
C:\WINDOWS\System32\Esm.exe
C:\WINDOWS\System32\Rfq.exe
C:\WINDOWS\Cbl.exe
C:\WINDOWS\System32\Jfj.exe
C:\WINDOWS\Fmj.exe
C:\WINDOWS\System32\Qiu.exe
C:\WINDOWS\Gbd.exe
C:\WINDOWS\System32\Jra.exe
C:\WINDOWS\Etg.exe
C:\WINDOWS\System32\Ifn.exe
C:\WINDOWS\Dnl.exe
C:\WINDOWS\System32\Csd.exe
C:\WINDOWS\Vkl.exe
C:\WINDOWS\Dnk.exe
C:\WINDOWS\System32\Dpu.exe
C:\WINDOWS\System32\Jhd.exe
C:\WINDOWS\Mnb.exe
C:\WINDOWS\system32\crrl.exe
C:\WINDOWS\Web\Desktop.html
C:\Documents and Settings\John\Start Menu\Programs\Startup\WindowsUpdate40826[1].exe
C:\Documents and Settings\John\Start Menu\Programs\Startup\winupdate30769450[1].exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete these folders if found

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files

==Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

*Double Click on Fixdesktop.reg and allow to merge to the registry
*Double click on cwserviceremove.reg also allow to add or merge

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {99D54368-0118-55BE-9FED-B7883F55C2CF} - C:\WINDOWS\system32\atlht32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appgu.exe] C:\WINDOWS\system32\appgu.exe
O4 - HKLM\..\Run: [Internet Component] C:\WINDOWS\System32\nwapanim.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Ons] C:\WINDOWS\System32\Ahv.exe
O4 - HKLM\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKLM\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKLM\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Mgj] C:\WINDOWS\System32\Lop.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Tka.exe
O4 - HKLM\..\Run: [Hld] C:\WINDOWS\Qkg.exe
O4 - HKLM\..\Run: [Jtf] C:\WINDOWS\System32\Ect.exe
O4 - HKLM\..\Run: [Okr] C:\WINDOWS\Gcj.exe
O4 - HKLM\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKLM\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKLM\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKLM\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKLM\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKLM\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKLM\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKLM\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKLM\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKLM\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKLM\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKLM\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKLM\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKLM\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKLM\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKLM\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Etq] C:\WINDOWS\Mnb.exe

O4 - HKCU\..\Run: [Ins] C:\WINDOWS\System32\Fss.exe
O4 - HKCU\..\Run: [Tsdt] C:\Documents and Settings\John\Application Data\ersh.exe
O4 - HKCU\..\Run: [IwoqRib4h] dderenv.exe
O4 - HKCU\..\Run: [Ugqtur] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [xservice] C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
O4 - HKCU\..\Run: [Bud] C:\WINDOWS\Tfa.exe
O4 - HKCU\..\Run: [Ekc] C:\WINDOWS\System32\Sov.exe
O4 - HKCU\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKCU\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKCU\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKCU\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKCU\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKCU\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKCU\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKCU\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKCU\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKCU\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKCU\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKCU\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKCU\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKCU\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKCU\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKCU\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKCU\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKCU\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKCU\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKCU\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKCU\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - Startup: WindowsUpdate40826[1].exe
O4 - Startup: winupdate30769450[1].exe

O9 - Extra button: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://horse-active....ang/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4604

O21 - SSODL: Meeting Component - {858D970D-ABF2-4C6A-B744-A0ABD268155A} - C:\WINDOWS\System32\unipjxpw.dll
O21 - SSODL: NTDBGTOOL - {5CE4279B-967E-422E-BF8A-9AA5BEA566CF} - C:\WINDOWS\System32\mmcbidft.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crrl.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART back to Normal mode

==Do the following
1. In the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Back in Windows
Do another scan with Hijackthis and post a fresh log
Also post the report from Ewidos
The log from About:Buster
The log from HSFix.bat>>C:\hslog.txt

Do you want to post your own logs from FRST?
Follow the instructions posted