Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

In need of serious help, here is my log file.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

In need of serious help, here is my log file.

Unread postby JFAC » May 8th, 2006, 8:18 pm

Logfile of HijackThis v1.99.1
Scan saved at 5:15:45 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Access Remote PC 4\rpcsetup.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\Windows-KB890830-V1.15.exe
c:\d9b9e922f9a8a549a38d\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.com/
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp3D4D.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6972741531
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Access Remote PC Service 4.5 (RpcSvr4x) - Access Remote PC (http://www.access-remote-pc.com) - C:\Program Files\Access Remote PC 4\rpcsetup.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

my computer is getting more messed up each day..if u need me to tell you what my problem is ask me..it will be long, but i need to get rid of this it is killing me.
JFAC
Active Member
 
Posts: 4
Joined: May 8th, 2006, 8:12 pm
Advertisement
Register to Remove

Unread postby jwbirdsong » May 8th, 2006, 10:09 pm

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Help with unzipping files is HERE

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe (it's used by SmitfraudFix)is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby JFAC » May 8th, 2006, 10:54 pm

here you go, thanks for responding.

SmitFraudFix v2.41

Scan done at 19:53:40.17, Mon 05/08/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}"="AutoDisc Ware"

[HKEY_CLASSES_ROOT\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}\InProcServer32]
@="C:\WINDOWS\system32\autodisc32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{8e99f990-b75a-4568-b3c8-24cbc8cbbfc1}\InProcServer32]
@="C:\WINDOWS\system32\autodisc32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
JFAC
Active Member
 
Posts: 4
Joined: May 8th, 2006, 8:12 pm

Unread postby jwbirdsong » May 8th, 2006, 11:47 pm

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download Ewido Anti Malware, it is a free version of the program.
  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Run Ewido:
  • Once in Safe Mode start Ewido Anti Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido
STILL in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please manually restart it into Normal Windows.

A text file should appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

Post
  • The Ewido log
  • A new HijackThis log
  • SmitfraudFix report (also found at C:\rapport.txt)
in your next reply here.

Warning : running option #2 on a non infected computer will remove your Desktop background.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby JFAC » May 9th, 2006, 8:41 pm

it took me a couple of hours to scan but here it is, tell me if i need to add something..i think the thing is going away somewhat..my homepage is now msn instead of that spyware homepage that won't go away..

rapport-

SmitFraudFix v2.41

Scan done at 17:31:05.25, Tue 05/09/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:29:45 PM, 5/9/2006
+ Report-Checksum: A69B7817

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{58F07DD3-924D-4141-BC74-299F523A95F1} -> Adware.WebDir : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@cz2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@vip2.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\bcjekmmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\cccgnlmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\cclcmimd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\chdjaomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\dilijpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\ecflfamd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\enmijpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\fbigghmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\fopkaomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\geiomjmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\hgfnmpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\iihfpond.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\jhkbpimd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\keeihimd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\kgphekmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\kmfoaemd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\ldiajlnd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\maallmmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\pmblaomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X17HMG84\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned without backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned without backup
C:\WINDOWS\system32\hp7068.tmp -> Downloader.Zlob.nn : Cleaned without backup
C:\WINDOWS\system32\hp7752.tmp -> Downloader.Zlob.nn : Cleaned without backup
C:\WINDOWS\system32\hp7CC1.tmp -> Downloader.Zlob.nn : Cleaned without backup
C:\WINDOWS\system32\hpAD0A.tmp -> Downloader.Zlob.nn : Cleaned without backup
C:\WINDOWS\Temp\bfambomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\bhdlbfmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\bmpjcbmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\caljaomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\chfcaknd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\dfcmjfmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\dineljmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\eiliglmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\embgfhmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\fndpjpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\ganekmmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\ggbmlind.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\ggmjjpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\glmgmfmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\heejommd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\hjnlaomd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\igcilcmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\ilnggnnd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\inpiogmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\kcfpeimd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\kpkgcimd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\lgalblmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\lmiejpmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\logonhmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\mkfglcnd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\nbblppmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\ncnnchnd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\nldfclmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\nldffkmd.exe -> Trojan.Dialer.ay : Cleaned without backup
C:\WINDOWS\Temp\nphpjpmd.exe -> Trojan.Dialer.ay : Cleaned without backup


::Report End
JFAC
Active Member
 
Posts: 4
Joined: May 8th, 2006, 8:12 pm

Unread postby jwbirdsong » May 9th, 2006, 8:59 pm

Is it possible that the Ewido log got cut off?? If so, just post the remaining part and I still need a current HijackThis log please
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby JFAC » May 9th, 2006, 11:11 pm

no it didn't get cut off..but heres my hijackthis log file..

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Access Remote PC 4\rpcsetup.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6972741531
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Access Remote PC Service 4.5 (RpcSvr4x) - Access Remote PC (http://www.access-remote-pc.com) - C:\Program Files\Access Remote PC 4\rpcsetup.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
JFAC
Active Member
 
Posts: 4
Joined: May 8th, 2006, 8:12 pm

Unread postby jwbirdsong » May 10th, 2006, 1:54 am

Unless you have an issues not reflected in your logs, your log is clean.

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    1. Turn off System Restore.
      On the Desktop, right-click My Computer.
      Click Properties.
      Click the System Restore tab.
      Check Turn off System Restore.
      Click Apply, and then click OK.

    2. Restart your computer.

    3. Turn ON System Restore.
      On the Desktop, right-click My Computer.
      Click Properties.
      Click the System Restore tab.
      UN-Check Turn off System Restore.
      Click Apply, and then click OK.


System Restore will now be active again.

You may delete the SmitfraudFix folder from your desktop

You should also update your Java by following the procedure HERE

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read and follow the guidance in How Did I Get Infected in the First Place??
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby Nellie2 » May 21st, 2006, 4:39 pm

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: NonSuch and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware