Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Constantly redirected to dubious Google search pages

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Constantly redirected to dubious Google search pages

Unread postby Mojo » January 9th, 2007, 6:29 pm

Last week my computer became slow and when I tried to access certain web sites I was redirected to Google search pages which listed dubious sites [soft porn dating, gambling etc]. A McAfee virus scan rvealed
Exploit WMF which was apparently successfully removed. I followed the advice of this forum and have scanned with Ad-Aware, Spybot, TrojanHunter, and Norton anti-virus and all is clear. However, the problem has become worse. I am using IE version 7 and when I try to access certain web sites [whose addresses aren't in the least bit similar to dodgy sites] I get the results of Google search page of dubious sites.

Can anyone help as it is proving very frustrating. I am using Windows XP and I am a bit of a novice. Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:02:34, on 09/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0990220234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{623A92A2-68A4-4CA9-B2C9-AEE4BBA7ADC7}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E24D954C-8F44-406D-9A02-7593460D9A4F}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E82FE74D-F547-44CB-902B-AE6DBCF40C48}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Many thanks from Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am
Advertisement
Register to Remove

Unread postby Shaba » January 10th, 2007, 3:38 am

Hi Mojo

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Mojo » January 10th, 2007, 7:44 am

Thanks Shaba - really appreciate your help. Here is the Fixwareout report, and the new Hijackthis log:

Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdpgv.exe will be moved to C:\WINDOWS\temp\kdpgv.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»
__________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 11:31:00, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\MLC\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0990220234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{623A92A2-68A4-4CA9-B2C9-AEE4BBA7ADC7}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E24D954C-8F44-406D-9A02-7593460D9A4F}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E82FE74D-F547-44CB-902B-AE6DBCF40C48}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Shaba » January 10th, 2007, 11:50 am

Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{623A92A2-68A4-4CA9-B2C9-AEE4BBA7ADC7}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E24D954C-8F44-406D-9A02-7593460D9A4F}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{E82FE74D-F547-44CB-902B-AE6DBCF40C48}: NameServer = 85.255.114.59,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.59 85.255.112.211


Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Re-run fixwareout

Please post:
  1. c:\fixwareout\report.txt
  2. AVG Anti-Spyware log
  3. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Mojo » January 10th, 2007, 3:09 pm

Many thanks Shaba. Here are the reports for AVG Anti-Spyware & Fixwareout. I'll send you the HijackThis report as a separate reply in case it gets cut off.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 18:07:23 10/01/2007
+ Scan result:
C:\Program Files\eMedia Codec -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
---------------------------------------------------------

Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

..............please see next reply for HijackThis log
Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Mojo » January 10th, 2007, 3:12 pm

Shaba ...................... and here is the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 18:47:08, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\MLC\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0990220234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Shaba » January 11th, 2007, 3:21 am

Hi

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Send:

- a fresh HijackThis log
- kaspersky report
- smitfraudfix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Mojo » January 11th, 2007, 7:57 am

Hi - I've done the SmitfraudFix.exe search and I have a log of this [rapport.txt]. However, I cannot download Kapersky Online Scanner. When I am prompted to install an ActiveX component I click Yes, but then I get directed to the Kapersky welcome page [which is where I started]. I've tried several times with no luck, and I've tried getting the programme by directly accessing the Kapersky site but when I try to download the on-line scanner I get the same problem.
Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Shaba » January 11th, 2007, 9:49 am

Hi

Did you try to install activex using Internet Explorer?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Mojo » January 11th, 2007, 12:55 pm

Shaba - I reset IE to allow active X, rebooted and checked that IE was still set to accept active X. However, the same problem happens. The programme apparently starts to initialise, then after a few seconds I get the message to download the active x component I click on install - and then I get back to the Kapersky welcome page again. I've tried temporarily disabling my McAfee privacy protection but that made no difference.
Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Shaba » January 11th, 2007, 1:39 pm

Hi

No worries, we try escan:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:

  • Unzip it to its predetermined directory (C:\Kaspersky)
  • Locate kavupd.exe in the new folder and double-click to Update.
  • If your firewall gives any messages about this program accessing to internet, allow it.
  • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
  • When you see Updates Downloaded Successfully, hit Enter to continue.
  • Restart onto Safe Mode and locate the Kaspersky folder.
  • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:
  • Leave the Default Settings checked.
  • Add a check to Drives
  • This will light up All Drives
  • Add a check to Scan all Files
  • Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
  • Please be sure it has finished before proceeding.
  • Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
  • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
  • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Mojo » January 11th, 2007, 5:11 pm

Hi Shaba - Thanks for your patience. Here is the Smitfraud Fix report [rapport]. I will send the MWav log and the new HiJackThis log as separate replies in case they get cut off.

SmitFraudFix v2.132

Scan done at 11:21:19.60, 11/01/2007
Run from C:\Documents and Settings\MLC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MLC


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MLC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MLC\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"

[HKEY_CLASSES_ROOT\CLSID\{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}\InProcServer32]
@="C:\WINDOWS\system32\ioctrl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}\InProcServer32]
@="C:\WINDOWS\system32\ioctrl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Mojo » January 11th, 2007, 5:13 pm

........ and here are the MWav Results:


File C:\Documents and Settings\MLC\Desktop\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
File C:\Program Files\McAfee\QuickClean\Backup\Uni42246.q1b infected by "Trojan.Win32.StartPage.in" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\00827F7C.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\025B20CF.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\026F1CB9.htm infected by "Trojan.JS.Seeker" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02774F89.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\02781AAF.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\028542A0.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02BE7C0E.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\02E21B34.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0362753F.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0396206F.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\03D10CA2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\048E0FD2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\04D650EC.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\04E35374.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0556058E infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\05835CC4.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\05C26F17 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\05C5209F.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\05CF1709 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\05D271D8.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\062A4199.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\065B2FD7.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\06C61960.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\07352CE6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\07673BCB.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\076F6739.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\07D53636.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\085128FB.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\09690A2E.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\09E32580.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\09F105CE.htm infected by "Exploit.HTML.ObjData" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0B6D71AB.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\0D4065A9.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\0D970336.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0D9F38A5.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\0E026CBF.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\125C59F6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\126F55E0.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\130C69E2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\130F13DE.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\14E5565C.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\15097D3B.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\169A0A3F.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\169A0A3F.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\16DD3233 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\172877E0 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\17596DAB infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\183F7EFE infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\185F0C8B infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\18656084 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\194C744C.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\19B22518 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\19C37706 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\1C2D7EFA.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\1C3028F7.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\1D043E0A.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\1E3F4049.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\208147CD.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\22A534CA.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\23362322.htm infected by "Exploit.HTML.ObjData" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2425622D.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\25CA41D6.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\294A7CFA.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\29644CDD.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2A6B10D0.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2B867BAE.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2BAD479D infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\2BCA417C infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2DB920C2.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2E1F1245.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\306471AB.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\30E104ED.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\31276491.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\33873743.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\33C91BC6.dat infected by "Trojan-Dropper.Win32.Small.lx" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\35BC6B43.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\38505796.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\389D52D4.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\391479E6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\39F91809.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\3A103DEF.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\3AB675A5.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\3BF91926.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\3C9A6C38.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\3FEB6260.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\42A35136.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\44427823.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\447130A6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\459B135B.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\45FE4C8D.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\49FE5CF9.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\4A9413E6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\4B730503.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\4CE23EEF.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\4D9F1604.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\4DF35656.php infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\526B126D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\526B126D.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\526E3C69.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\52795E8B.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\52853CBA.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\528F3AB0.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\52B40CF4.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\52B4524A.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\53F4610F.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\55161A78.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5732215E.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5988594E.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\59AC2727.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5C6A0E7A.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5CFC1212.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5D7C7245 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5D8D556C.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5DA63B28.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5DCD112C.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E127DA0 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E5671F7.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E5C45F0.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E5F6FEC.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5E9D0DA8.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E9D0DA8.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5EA137A4.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5EEC7D52.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5EEF274E.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5EF2514A.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5F601B39.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\60F31116.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\60F63B13.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\614E28B2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\614E28B2.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\615252AE.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\61A50CCE.html infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\61F82FF7.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\61F82FF7.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\61FC59F3.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\622925C1.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\622925C1.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\635A0D40.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\63AB7153.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\642E1449.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\64C52219.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\652D5F31.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\65D95D7F.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\65EF18A9.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\663A56F4.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\667E3AE0.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\68A817D2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\68E6358E.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\69403A8D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\69F01841.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\69F52A30.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6A2D60D3.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6A601CD7.html infected by "Trojan-Downloader.JS.Small.i" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6A601CD7.php infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6A8B0F1B.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6B206E87.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6B7D00B5.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6C8165FD.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6DB42EF4.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6DB42EF4.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6DB758F1.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6E2A382A.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6E512FFF.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6E5E57F1.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6E6855E6.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6E8B6A27.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6EDD5CD4.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\6F134F21 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6F1D4D17 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\72065B27.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\73603DD5.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\73AF5181 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\73D0755E infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\74485B48.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\75B1125D.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\768C2ED8.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\77A545C8.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7A2569A2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7A5418A1.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7A697D65.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7A697D65.php infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7A870B9E.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7AA8276D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7C5135D3.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7D02574D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7E8D5669.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Mojo » January 11th, 2007, 5:15 pm

............. and fianlly here is the latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:06:23, on 11/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MLC\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0990220234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Many thanks from Mojo
Mojo
Regular Member
 
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Shaba » January 12th, 2007, 3:18 am

Hi

Empty this folder:

C:\Program Files\Norton AntiVirus\Quarantine\

Empty Recycle Bin

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Send:

- smitfraudfix report
- a fresh HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware