Jump to content
Sign in to follow this  

Trojan partially fixed? - SDfix & HJT log

Recommended Posts

Hello and thank god for the help of you wonderful spyware gurus!


Thanks to some research here, I attempted to fix what I think of looksky, am unsure of that final steps should be. Once malware/spyware fixed, I will do all prevention measured mentioned in previous conclusion threads.




Some Trojan, likely from bittorrent (since removed)


Took over desktop, pop ups, homepage on login, pop ups and webpages all offering spyware protection, computer infected etc..also a pop up box indicated possible trojan.w32.looksky problem.


I believe computer protected by Mcaffee per company IT. Personal computer at company office.


What I did:


- Ran spybot S & D

- Ran Adaware SE

- Downloaded and Ran AVG

All found a bit of stuff, S & D 200ish problems.


- Ran HJT

Removed a few things that looked fishy, based on what others were told to remove.

(I know I know, should have posted first, probably removed a few good things, sorry, live and learn!)


- Tried to run Smitfraud fix, did not work, indicated: "Reboot.exe file missing"...


- Ran SDFix

- Ready to run HJT again


Suspect wmpenv file


Results - At various steps:

1- Not sure at what step, but instead of continual pop ups, McCafee started catching forced pop ups as viruses every 10-15 seconds and deleted them. It caught 3 or 4 kinds, including:

c: \SDFix\Backup\wmpenv something file!!


2- Could no longer go on internet. Just nothing


3- I disabled McCafee to allow me to go online


4- Can now go online


5- Renabled McCafee (I think), no more pop ups or prompts.


6- When I am idle, desktop picture comes on, and when I mouse, I get popped back to windows login screen




I am wondering what is remaining of this pesky problem, and how to fix it, thanks for any help,

and hope others can learn form the fix!


I will run HJT and post after this.


Here is SDFixreport:


SDFix: Version 1.98


Run by Tony Schimek on Mon 08/13/2007 at 06:09 PM


Microsoft Windows XP [Version 5.1.2600]


Running From: C:\SDFix


Safe Mode:

Checking Services:



Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Default IE HomePage

Restoring Default Desktop Components Value





Normal Mode:

Checking Files:


Trojan Files Found:


C:\OLSTEMP.TMP - Deleted

C:\~WRD0001.TMP - Deleted

C:\Documents and Settings\Tony Schimek\Favorites\Error Cleaner.url - Deleted

C:\Documents and Settings\Tony Schimek\Favorites\Privacy Protector.url - Deleted

C:\Documents and Settings\Tony Schimek\Favorites\Spyware&Malware Protection.url - Deleted

C:\WINDOWS\privacy_danger\index.htm - Deleted

C:\WINDOWS\privacy_danger\images\capt.gif - Deleted

C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted

C:\WINDOWS\privacy_danger\images\down.gif - Deleted

C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted

C:\WINDOWS\dat.txt - Deleted

C:\WINDOWS\duocore.dll - Deleted

C:\WINDOWS\main_uninstaller.exe - Deleted

C:\WINDOWS\wmpconf.dll - Deleted

C:\WINDOWS\wmpenv.dll - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files...


ADS Check:



No streams found.



No streams found.



No streams found.



No streams found.




Final Check:


Remaining Services:





Authorized Application Key Export:



"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"


"C:\\Program Files\\RDS\\FmIcsl.exe"="C:\\Program Files\\RDS\\FmIcsl.exe:*:Disabled:Ridoc Document System Ridoc Document Router Client Software."

"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"

"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"




"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:



Backups Folder: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:


C:\Documents and Settings\Tony Schimek\NetHood\resource on www.gostarpower.com\Desktop.ini




C:\Documents and Settings\Tony Schimek\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp

C:\Documents and Settings\Tony Schimek\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp

C:\Documents and Settings\Tony Schimek\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp

C:\Documents and Settings\Tony Schimek\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL0071.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL0542.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL2466.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL2663.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL2911.tmp

C:\Documents and Settings\Tony Schimek\Application Data\Microsoft\Word\~WRL3295.tmp

C:\Documents and Settings\Tony Schimek\Local Settings\Temp\BIT38.tmp

C:\Documents and Settings\Tony Schimek\Local Settings\Temp\BIT3D.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL0003.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL0281.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL0818.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL0939.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL1038.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL1157.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL2087.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL2426.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL2626.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL2852.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL3357.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Checklists & Systems\~WRL3829.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Hotline Documents\~WRL0179.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Investment Program\~WRL2042.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Leadfollowupletters\~WRL3066.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL0428.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL0450.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL1342.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL2186.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL2204.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL2858.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL3560.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL4067.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Listing Presention\~WRL4087.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MLS Descriptions\~WRL2722.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MLS Descriptions\~WRL3393.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MOSB\~WRL1876.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MOSB\~WRL2430.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MOSB\~WRL2964.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MOSB\~WRL3014.tmp

C:\Documents and Settings\Tony Schimek\My Documents\MOSB\~WRL3656.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Paw Paw Place\~WRL0003.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Paw Paw Place\~WRL1551.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Sanford Systems\~WRL0538.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Sanford Systems\~WRL2613.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Sanford Systems\~WRL2760.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Sanford Systems\~WRL2780.tmp

C:\Documents and Settings\Tony Schimek\My Documents\Website Documents\~WRL0004.tmp





Share this post

Link to post
Share on other sites

HJT just ran.


I believe there was a strange looking 021 wmpenv and anotehr 021, seem to have been deleted.


Thanks for any guidance on what my next steps should be, done my best to get this far on my own!




Logfile of HijackThis v1.99.1

Scan saved at 4:43:28 PM, on 8/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)


Running processes:








C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe




C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe







C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe


C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\McAfee\Common Framework\McTray.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Hijackthis\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll


O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ePrint Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE

O4 - HKLM\..\Run: [uniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094476125278

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: EPrint Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post

Link to post
Share on other sites



Computer now starts up just fine.

Perhaps Trojan fixed.

Turned off screen saver, duh. :blushing:


Will proceed with running Spybot, AVG, Ad Aware and SDfix one more time each.


Then implement clean up and protection steps.


Changing IE to Firefox.

Share this post

Link to post
Share on other sites

Worked on this hours and hours, Still seems to be remnants of a problem




(PS: Using IE 7)


1- McCafee AVERT again did a virus Scan Alert – noted Trojan - Deleted


C:\Documents and Settings\Tony Schimek\Local Settings\Temp\$452E0D99.t$m




2- Temporary Internet Files - Set to auto update - I noticed Disk space used is 1024 MB. – Long list of things, including PC pitstop and castlecop image gif files.


Q- Should I delete all TIFiles?


3- I downloaded and ran CC cleaner (Unique Blue) – Did not know it was a paid program. It found 1481 problems, seems like a lot. I did not buy the program, did delete the 15 free deletions allowed.

After restart, noticed CC Cleaner was auto starting, so I uninstalled the program pending further advice from this board.


While in programs, uninstalled Video Access Codec, did not seem to be of any use.


4- I did a Windows Auto Update, 9 updates, then restarted.


5- Tried to run Smitfraud again, would not work, still noted the missing reboot.exe file


6- Strange thing – New User added: I went to user set up form control panel to set a password for myself, and there was a new user not there before, ASP.NET with limited access, password protected. Not sure if this is Trojan or

a normal Windows update thing. I deleted the user.


7- Ran AVG again, after 54 minutes and 41000 items, did not find a problem, so I stopped the scan.




McCafee, which is set up to auto start at startup, still seems to pick up some pop up Trojan, otherwise computer seems fine.


To anyone who may help:


Q- What should I do to find/eliminate any last problems?


Q- Should I delete all TIF files?


Thanks for any assistance, have done my best so far, help appreciated!.

Share this post

Link to post
Share on other sites

Hi and welcome....


You have running and active AVG7 and McAfee antivirus.

Running two two is not recommended.

This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources.

You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.

The alternative is to uninstall one AV and keep the other.


You make the call and if you need help uninstalling one please let me know.

Here are two articles where it is explained in detail.







This may explain one of your questions....

What is this new user account for(ASP.NET) ? What created it?





Please go to: VirusTotal

  • Posted Image


    Posted Image



  • Click the Browse button and search for the following file: C:\WINDOWS\SYSTEM32\pdfxcsup.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.






C:\SDFix\backups <--delete this folder

C:\Documents and Settings\Tony Schimek\Local Settings\Temp <--delete the contents of this folder, not the folder itself.



Download this Temp cleaner from this location....


Download: CCleaner (freeware)


Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).

Once installed, run CCleaner click the Windows [tab]

Select the following:

Posted Image

Next: click Options click the Settings tab

Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit

Note: Please do NOT use the Applications tab or the Issues icon. Keep to the

Cleaner icon and the Windows tab.






Download ComboFix from Here

IMPORTANT ! Place it on your Desktop.



Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.



In your next reply post:


New HJT log ran after the above scan

Comments on how your comuter is running now

Share this post

Link to post
Share on other sites

Welcome back

Computer seems to be running just perfectly




C:\Qoobox <--delete this folder



These logs are clean, good job!


We can run another scan to check for remnants....




Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner


Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component


Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

Posted Image

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.




In your next reply post:

Kaspersky log

New HJT log


And let me know what issues remain

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this