I've received many trojan warnings!

[stomper]

These are all the pop-ups that show up in the task bar with the exclamation point inside a yellow triangle. They are popping up about 2 minutes - one says i am infected with the latest version of Spyware.CyberLog-X; another says: NetWorm-i.Virus@fp; securityonpage.com pops up; protectroom.com pops up;
I'm getting the monitor warnings about slowed down systems again; savetheinformation.com pops up; I'm getting Internet Explorer alerts about adware; PSW.x-Virtrojan; Trojn-Spy.win32@mx - these all all the original warnings I was getting.

These may be just pop-up to make you download the software, but we had them stopped. Why are they starting up again?

They're popping up faster than I can type the names. All I did was down Firefox for better protection.

[evilfantasy]

Step 1
Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

[stomper]

Had a hard time with this one. The first time I ran the program it hung up. By the time I realized it wasn't working I had to reboot the computer. The next time it worked, but when I tried to close the program I lost my whole desktop and had to reboot again. The third time it worked, but when I tried to post here IE hung up. Better hurray and post before it happens again.

Here's the report.

[saving disk space - old attachment deleted by admin]

[evilfantasy]

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter at the prompt)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

[stomper]

Here's the comfix report. Alot of websites popped up while it was running - hope that didn't interfere with the report.

[saving disk space - old attachment deleted by admin]

[evilfantasy]

OK, we need to run SUPERAntiSpyware.

This time boot to safe mode to run it. We need NO internet connection at all. Physically disconnect the connection from the wall if needed.

Then post the SUPER log and a fresh HijackThis log.

[stomper]

I ran vundofix this morning and removed the bad files - everything seems to be working okay. Should I still run superantispyware?

[evilfantasy]

Yes you should run SAS. There are a few entries in the combofix log that I am not sure about and will probably lead to a few more steps.

Did you get Firefox installed?

So we need the SAS log and a new HJT log. Be sure to get the HJT log after running SAS.

[stomper]

Yes, I have firefox installed. Here's my logs


[saving disk space - old attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\cc1

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]
[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

==========

Next run the Bitdefender Online Scan

Please read carefully

Run the  BitDefender Online Scanner
Agree to the license and then select Scan.
DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

==========

Next Post
combofix.txt log
bdscan.txt log
New HJT log
as attachments

[stomper]

I have the new logs but I've received a message the upload folder is full.

[evilfantasy]

Yes you will need to copy and paste them.

You may need to break them into two or three parts to fit them all in.

[stomper]

I've tried uploading only 1 file - HJT which is only 7 kb. I still received a message that the upload folder is full - contact an administrator

[evilfantasy]

Just copy the log off of the notepad and paste it in the reply.

Not as an attachment, just right in the reply box.

[stomper]

Okay - didn't understand.
Here's combofix - part 1

ComboFix 07-11-19.3 - KATHY 2007-11-24 14:55:18.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.543 [GMT -5:00]
Running from: C:\Documents and Settings\KATHY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KATHY\Desktop\CFScript.txt
 * Created a new restore point
.

   Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\KATHY\Desktop\Live Safety Center.lnk
C:\Documents and Settings\KATHY\Desktop\Online Security Guide.lnk
C:\Documents and Settings\KATHY\Favorites\Online Security Guide.lnk
C:\VundoFix Backups
C:\VundoFix Backups\hrkorrmn.dllbox.bad
C:\VundoFix Backups\husaaxdy.dll.bad
C:\VundoFix Backups\husaaxdy.dllbox.bad
C:\VundoFix Backups\kstlxzir.dllbox.bad
C:\VundoFix Backups\nothqsit.dll.bad
C:\VundoFix Backups\nothqsit.dllbox.bad
C:\VundoFix Backups\parmudte.dll.bad
C:\VundoFix Backups\rasdedwb.dll.bad
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\nothqsit.dllbox
C:\WINDOWS\system32\ssuvw.ini
C:\WINDOWS\system32\ssuvw.ini2
C:\WINDOWS\system32\wvuss.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2007-10-24 to 2007-11-24  )))))))))))))))))))))))))))))))
.

2007-11-24 15:01   775,952      C:\WINDOWS\system32\pdupggjv.tmp
2007-11-24 07:42   775,952   ---hs----   C:\WINDOWS\system32\pdupggjv.ini
2007-11-22 21:58   53,248   --a------   C:\WINDOWS\system32\Process.exe
2007-11-22 21:07   0   --a------   C:\WINDOWS\nsreg.dat
2007-11-22 16:22   <DIR>   d--------   C:\WINDOWS\ERUNT
2007-11-22 13:58   <DIR>   d--------   C:\Program Files\Trend Micro
2007-11-22 09:29   <DIR>   d--------   C:\Program Files\Common Files\Scanner
2007-11-22 09:11   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 09:10   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2007-11-22 09:10   75,248   --a------   C:\WINDOWS\zllsputility.exe
2007-11-22 09:09   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-11-22 00:28   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2007-11-21 19:10   <DIR>   d--------   C:\Program Files\InCode Solutions
2007-11-21 19:08   <DIR>   d--------   C:\Program Files\RegCure
2007-11-21 19:04   <DIR>   d--------   C:\Program Files\CCleaner
2007-11-21 18:58   714,446   --ahs----   C:\WINDOWS\system32\pibpnavn.ini
2007-11-20 23:29   <DIR>   d--------   C:\Documents and Settings\KATHY\Application Data\Uniblue
2007-11-19 21:28   685,703   --ahs----   C:\WINDOWS\system32\rmsruhsm.ini
2007-11-19 18:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 18:25   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-11-19 18:25   <DIR>   d--------   C:\Documents and Settings\KATHY\Application Data\SUPERAntiSpyware.com
2007-11-19 18:10   <DIR>   d--------   C:\Program Files\Musicmatch
2007-11-18 15:05   <DIR>   d--------   C:\Program Files\Lavasoft
2007-11-18 15:05   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 15:03   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 18:14   <DIR>   d--------   C:\WINDOWS\system32\CDD0CCCED0D3D6
2007-11-17 18:14   124,416   --a------   C:\WINDOWS\system32\1114101214171A.exe
2007-11-17 15:25   108,544   --a------   C:\WINDOWS\system32\pxcpyi64.exe
2007-11-17 15:25   104,960   --a------   C:\WINDOWS\system32\pxinsi64.exe
2007-11-17 15:24   <DIR>   d--------   C:\Documents and Settings\KATHY\Application Data\Musicmatch
2007-11-17 15:24   503,808   --a------   C:\WINDOWS\system32\msvcp71.dll
2007-11-17 15:24   348,160   --a------   C:\WINDOWS\system32\msvcr71.dll
2007-11-17 15:24   89,088   --a------   C:\WINDOWS\system32\atl71.dll
2007-11-12 18:32   <DIR>   d--------   C:\Documents and Settings\KATHY\Application Data\Corel
2007-11-12 18:24   553,984   --a------   C:\WINDOWS\system32\rave.dll
2007-11-12 18:24   229,376   --a------   C:\WINDOWS\system32\rpza32.qtc
2007-11-12 18:24   211,456   --a------   C:\WINDOWS\system32\qd3d_ir2.q3x
2007-11-12 18:24   165,888   --a------   C:\WINDOWS\system32\smc32.qtc
2007-11-12 18:24   70,656   --a------   C:\WINDOWS\system32\3dviewer.dll
2007-11-12 18:24   32,768   --a------   C:\WINDOWS\system32\cmgr32.dll
2007-11-12 18:23   909,312   --a------   C:\WINDOWS\system32\qd3d.dll
2007-11-12 18:23   409,600   --a------   C:\WINDOWS\system32\scint78.dll
2007-11-12 18:23   345,600   --a------   C:\WINDOWS\system32\qtim32.dll
2007-11-12 18:23   108,032   --a------   C:\WINDOWS\system32\sh33w32.dll
2007-11-12 18:23   35,840   --a------   C:\WINDOWS\system32\navg32.qtc
2007-11-12 18:23   20,480   --a------   C:\WINDOWS\system32\raw32.qtc
2007-11-12 18:22   128,000   --a------   C:\WINDOWS\system32\mc32.qtc
2007-11-12 18:22   103,936   --a------   C:\WINDOWS\system32\rle32.qtc
2007-11-12 18:21   <DIR>   d--------   C:\WINDOWS\Favorites
2007-11-12 18:21   <DIR>   d--------   C:\Corel
2007-11-12 18:20   <DIR>   d--------   C:\WINDOWS\Corel

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 12:45   81,472   ----a-w   C:\WINDOWS\system32\iyyjnglw.dll
2007-11-24 12:42   85,056   ----a-w   C:\WINDOWS\system32\vjggpudp.dll
2007-11-24 12:33   71,232   ----a-w   C:\WINDOWS\system32\fpdpnnjj.exe
2007-11-22 14:29   ---------   d-----w   C:\Program Files\Yahoo!
2007-11-19 23:35   ---------   d-----w   C:\Program Files\Canon
2007-11-19 23:10   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-16 23:40   ---------   d-----w   C:\Program Files\DC++
2007-10-28 12:51   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\CoreFTP
2007-10-04 04:36   25,600   ----a-w   C:\WINDOWS\system32\WS2Fix.exe
2007-09-29 17:43   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\Ahead
2007-09-27 00:29   ---------   d-----w   C:\Program Files\Microsoft.NET
2007-09-06 21:14   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 04:22   289,144   ----a-w   C:\WINDOWS\system32\VCCLSID.exe
.