Another protection bar

dear forum I picked up something which brought others with it.

I've figured out the new PROTECTION BAR is at least part of it and I've tried to go to your links re it but I'm being prevented.

also Hijack this! has been shutting during use, I assume because of interference.

AVG shows Downloader.Zlob.bpn and Adware.IntCodec

A yellow bubble on the taskbar has shown W32.Myzor.FK@yf.
also Trojan-Spy.Win32@mx

Any clues?

 

Rename HijackThis to scanner and experiment scan again, post HijackThis log. If not work, please say.

 

Renamed HijackThis as Scanner. It did not work.

 

Download Silent Runners.zip and extract it to a new folder on your Desktop.

[*]Run the Silent Runners.vbs file.
[*]You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
[*]If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
[*]This script is not malicious so please allow it.[*]A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
[*]Once the "All Done!" prompt flashes up, open the text file and save it to SR's folder on you Desktop and post contents here.

 

Here is the contents of SR text file and BTW my browser goes to http//asafetyproject.com in case that's relevant.



"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"user32.dll" = "C:\Program Files\Video Access ActiveX Object\isamntr.exe" [file not found]
"rare" = "C:\Program Files\Video Access ActiveX Object\pmsnrr.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelliType" = ""C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"" [MS]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Comodo Firewall" = ""C:\Program Files\Comodo\Firewall\CPF.exe" /background" ["COMODO"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"RealTray" = "C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Video Access ActiveX Object\isadd.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "ITPropertyPage Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Hardware\Keyboard\itcpl.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}" = "homina"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\oyopu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
ShellPlusContextMenu\(Default) = "{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [file not found]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"MoRUN.net Sticker Lite" -> shortcut to: "C:\WINDOWS\Installer\{620797B0-A022-4B57-A95E-CD7DD0325005}\main.ico" [null data]
"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar.dll" [file not found]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{84938242-5C5B-4A55-B6B9-A1507543B418}"
-> {HKLM...CLSID} = "Protection Bar"
\InProcServer32\(Default) = "C:\Program Files\Video Access ActiveX Object\iesplugin.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{84938242-5C5B-4A55-B6B9-A1507543B418}" = (no title provided)
-> {HKLM...CLSID} = "Protection Bar"
\InProcServer32\(Default) = "C:\Program Files\Video Access ActiveX Object\iesplugin.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\(Default) = "Protection Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Video Access ActiveX Object\iesplugin.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Comodo Application Agent, CmdAgent, "C:\Program Files\Comodo\Firewall\cmdagent.exe" ["COMODO"]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 47 seconds, including 18 seconds for message boxes)

 

Hi pops4444

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

 

smitfraud ran from the desktop ok.
report:-

SmitFraudFix v2.162

Scan done at 22:22:59.78, Sun 01/04/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\MoRUN.net\Sticker Lite\sticker.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 microsoft.com.org #[IE-SpyAd]
127.0.0.1 www.www.microsoft.com.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video Access ActiveX Object\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}"="homina"

[HKEY_CLASSES_ROOT\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\system32\oyopu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}\InProcServer32]
@="C:\WINDOWS\system32\oyopu.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 10.1.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Hi pops4444

Please download HoxtXpert.
[*]Unzip HostsXpert.zip
[*]Double click on HostsXpert.exe
[*]Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion..
[*]Click on Make Hosts Read Only to secure it against further infection.
[*]Close program when complete.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Try scan HijackThis now, if not work, please say.

 

Rapport.txt follows. I tried HijackThis, once again no go.



SmitFraudFix v2.162

Scan done at 13:01:33.41, Mon 02/04/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{13178070-C3DD-4079-860E-4079B6CC155E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Hello pops4444

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

[*]Close all applications and windows.
[*]Double-click on dss.exe to run it, and follow the prompts.
[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
[*]Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

 

First run with deckard scanner was a freeze - (I gave it 3 hours anyway) Stand alone computer - can log on as administrator or owner in safe mode (not suitable for DSS) but only as owner in normal mode. So a bit of a pain. Later DSS ran well in normal mode.
Logs as follows.

MAIN TXT
Deckard's System Scanner v20070328.36
Run by Owner on 2007-04-03 at 15:28:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
115: 2007-04-03 05:28:36 UTC - RP189 - Deckard's System Scanner Restore Point
114: 2007-04-03 02:26:40 UTC - RP188 - Deckard's System Scanner Restore Point
113: 2007-04-02 20:23:14 UTC - RP187 - Unsigned driver install
112: 2007-04-02 12:29:28 UTC - RP186 - Installed Motorola USB Drivers v2.9
111: 2007-04-02 12:29:05 UTC - RP185 - Removed Motorola USB Drivers v2.9


-- First Restore Point --
1: 2007-01-03 10:14:55 UTC - RP75 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:30:19 PM, on 3/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\MoRUN.net\Sticker Lite\sticker.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: MoRUN.net Sticker Lite.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20061015-134738-760 O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
backup-20061015-134739-475 O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
backup-20061015-134739-509 O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
backup-20061015-134739-583 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061015-231623-935 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20061015-231812-613 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061016-111540-835 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061016-111540-873 O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
backup-20061017-104222-243 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061017-104222-276 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-104222-308 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-104222-376 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-104222-486 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20061017-104222-496 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20061017-104222-671 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-104222-912 O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
backup-20061017-212811-186 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-212811-373 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20061017-212811-385 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061017-212811-621 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-212811-784 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-212811-802 O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
backup-20061017-212811-831 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-212811-919 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20061017-224908-182 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20061017-224908-271 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-224908-367 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-224908-682 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-224908-707 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmscs.dll/sp.html#37049
backup-20061017-224908-927 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20061017-224931-162 O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
backup-20061017-224931-493 O4 - HKLM\..\Run: [sysqn.exe] C:\WINDOWS\sysqn.exe
backup-20061017-232408-187 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 viasraid - c:\windows\system32\drivers\viasraid.sys
R1 UdfReadr - c:\windows\system32\drivers\udfreadr.sys
R2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys

S3 ES1370 (Creative AudioPCI (ES1370), SB PCI 64/128 (WDM)) - c:\windows\system32\drivers\es1370mp.sys
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys
S3 SynasUSB - c:\windows\system32\drivers\synasusb.sys
S3 vsc32 (Virtual Sound Canvas 3.2) - c:\windows\system32\drivers\vsc.sys (file missing)
S3 YMIDUSB (YAMAHA Corporation USB MIDI Driver) - c:\windows\system32\drivers\ymidusb.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2006-12-28 06:09:59 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>


-- Files created between 2007-03-03 and 2007-04-03 -----------------------------

2007-04-03 12:21:47 462330 --a------ C:\dss.exe
2007-04-03 08:33:04 0 d-------- C:\Program Files\Freechess<FREECH~1>
2007-04-02 21:18:36 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-02 15:02:39 0 d-------- C:\Program Files\WinAce
2007-04-02 14:49:24 0 d-------- C:\Program Files\motorola p2kseem<MOTORO~1>
2007-04-01 22:23:11 2542 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-01 22:22:54 79360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-01 22:22:54 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-01 22:22:44 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-04-01 22:22:28 869303 --a------ C:\SmitfraudFix.exe<SMITFR~1.EXE>


-- Find3M Report ---------------------------------------------------------------

2007-04-03 15:29:28 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-04-03 15:29:12 0 d-------- C:\Program Files\Datasonics<DATASO~1>
2007-04-02 21:39:33 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1>
2007-03-26 12:43:35 0 d-------- C:\Program Files\Lexmark X1100 Series<LEXMAR~1>
2007-03-06 19:34:54 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-03-02 12:20:46 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2007-02-15 20:23:47 0 d-------- C:\Program Files\mobile PhoneTools<MOBILE~1>
2007-02-07 07:37:35 0 d-------- C:\Program Files\ewido anti-spyware 4.0<EWIDOA~1.0>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Comodo Firewall"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-03 at 15:30:45 ---------














Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2500+
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 511.48 MiB / 261.35 MiB
Pagefile Memory (total/avail): 1250.18 MiB / 1006.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1989.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 48.95 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Comodo Firewall v2.3.035 (COMODO)
AV: AVG 7.5.446 v7.5.446 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=COMPUTER
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Burn4Free CD & DVD 1.0.3.0 --> "C:\Program Files\Burn4Free\unins000.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Comodo Firewall --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
FileSpecs extension for Ad-aware 6 --> C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\FILESP~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\FILESP~1\INSTALL.LOG
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar.dll"
HexDump extension for Ad-aware 6 --> C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\HEXDUM~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\HEXDUM~1\INSTALL.LOG
HijackThis 1.99.1 --> E:\spyware\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Knowledge Adventure School Sampler --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Knowledge Adventure\Knowledge Adventure School Sampler\DeIsL1.isu"
Lexmark X1100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
LSP Explorer Pluginfor Ad-aware 6 --> C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\LSPEXP~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\LSPEXP~1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
MoRUN.net Sticker --> MsiExec.exe /X{620797B0-A022-4B57-A95E-CD7DD0325005}
Motorola USB Drivers v2.9 --> MsiExec.exe /X{86EB9B75-C7F8-4D7D-A032-6C5858757525}
Music Master Professional --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Datasonics\Music Master Professional\DeIsL1.isu" -c"C:\Program Files\Datasonics\Music Master Professional\_ISREG32.DLL"
Native Instruments Sibelius Player --> C:\PROGRA~1\NATIVE~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\SIBELI~1\INSTALL.LOG
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Neuratron PhotoScore Lite --> C:\PROGRA~1\NEURAT~1\UNWISE.EXE C:\PROGRA~1\NEURAT~1\INSTALL.LOG
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
Owl and Mouse Build a Castle --> C:\PROGRA~1\Castle\UNWISE.EXE C:\PROGRA~1\Castle\INSTALL.LOG
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Ra2Wav --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\2B System\Ra2Wav\Uninst.isu"
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Reason --> MsiExec.exe /X{E52BFE61-E0FF-11D6-9D69-00065BABCB42}
rgc:audio sfz VSTi v1.21 --> "C:\Program Files\Steinberg\Cubase SL\Vstplugins\unins000.exe"
Roxio UDF Reader --> C:\WINDOWS\System32\UDFRUNIN.EXE
SFPack --> C:\PROGRA~1\STEINB~1\CUBASE~1\VSTPLU~1\_SFPAC~1\SFPack\SFPACK.EXE /uninstall
Sibelius 3 --> C:\PROGRA~1\SIBELI~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\SIBELI~1\SIBELI~1\INSTALL.LOG
Sibelius Scorch --> C:\PROGRA~1\SIBELI~1\Scorch\UNWISE.EXE C:\PROGRA~1\SIBELI~1\Scorch\INSTALL.LOG
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Steinberg Cubase SL --> C:\PROGRA~1\STEINB~1\CUBASE~1\UNINST~1.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\Install.log
Steinberg Cubase SX v2.01 --> C:\PROGRA~1\STEINB~1\CUBASE~2\UNWISE.EXE C:\PROGRA~1\STEINB~1\CUBASE~2\INSTALL.LOG
Syncrosofts License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\Install.log
VIA Integrated Setup Wizard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Defender --> MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
YAMAHA Musicsoft Downloader 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D3C6846-CDB6-418F-8FDB-DA21FE064F86}\Setup.exe" -l0x9


-- End of Deckard's System Scanner: finished at 2007-04-03 at 15:30:45 ---------



Thanks

 

Hello pops4444

Everything looks good anything problems yet?

 

problems - ongoing.

Last altavista search - each answer link redirected browser to the same porn site though safe search is on and the links were all different URLs.

HIJack This still freezes though I've downloaded a second copy and renamed it.

broadband web access keeps disconnecting needing a windows restart


Commodo firewall warns:-
application svchost.exe
parent services.exe
system32\WgaTray.exe tried to use svchost to connect to the internet I click DENY


However I just ran Ewido and nothing found !

 

CORRECTION CORRECTION

I just posted that Ewido found nothing. It was only a partial scan.

New report follows. 24 instances of ZLOB in 4 forms



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:09:33 AM 4/04/2007

+ Scan result:



C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP183\A0014264.dll -> Downloader.Zlob.aud : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP183\A0014265.exe -> Downloader.Zlob.aud : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP183\A0014267.exe -> Downloader.Zlob.aud : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP183\A0014269.exe -> Downloader.Zlob.bih : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014235.exe -> Downloader.Zlob.bng : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0011959.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0011961.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0011974.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0011978.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0012164.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0012166.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0012180.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP180\A0012185.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP181\A0012203.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP181\A0012206.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP181\A0013198.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP181\A0013202.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP181\A0013204.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0013216.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0013217.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0013219.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014216.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014217.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014219.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014224.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014228.dll -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014230.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP182\A0014234.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{6A67A437-192D-4644-9D72-77581E6635F3}\RP183\A0014266.dll -> Downloader.Zlob.bpn : No action taken.


::Report end

 

ok I know I'm answering my own posts here.

I deleted ZLOBs last scan.

I just ran Ewido (AVG) again - full scan and nothing found !!

HiJack This is still not running though. It gets to
015 Trusted Zone enumeration and then freezes.

Commodo still says
application svchost.exe
parent services.exe
system32\WgaTray.exe tried to use svchost to connect to the internet I click DENY

 

Hello pops4444

Download F-Secure Blacklight (blbeta.exe) to the desktop from here.

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.

Permit the WgaTray.exe because it's windows own process

Clean your system restore:
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Post Blacklight log to your next reply

 

Done


04/05/07 15:13:05 [Info]: BlackLight Engine 1.0.61 initialized
04/05/07 15:13:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/05/07 15:13:05 [Note]: 7019 4
04/05/07 15:13:05 [Note]: 7005 0
04/05/07 15:13:11 [Note]: 7006 0
04/05/07 15:13:11 [Note]: 7011 1596
04/05/07 15:13:11 [Note]: 7026 0
04/05/07 15:13:11 [Note]: 7026 0
04/05/07 15:13:13 [Note]: FSRAW library version 1.7.1021
04/05/07 15:19:02 [Note]: 2000 1012
04/05/07 15:19:02 [Note]: 2000 1012
04/05/07 15:20:15 [Note]: 7007 0

 

Hello pops4444

Note. This work only Internet explorer
Please run this online scan:

Panda ActiveScan

[*] Once you are on the Panda site, click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log


[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save

Report and save it to a convenient location.

Post the contents of the Panda scan report.

 

ok here's the latest.

Activescan found and fixed some and didn't/couldn't fix others.

Activescan report follows. BUT after so many attempts - as per your advice I ran HiJackThis again. It froze as usual but since I stretched the window to show all the scan (to do a screen capture of the log before it closed) it suddenly came right and actually produced a new log. My best newbie guess - it worked because activescan has deleted something.

BOTH REPORTS FOLLOW

-------------------------------------------------------------------



Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\zz_Anti-Spyware Prgrms\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Owner\My Documents\zz_Anti-Spyware Prgrms\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
---------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:32:39 AM, on 7/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\MoRUN.net\Sticker Lite\sticker.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\scanner.exe
C:\WINDOWS\system32\mspaint.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: MoRUN.net Sticker Lite.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Thanks a bunch

 

Hello pops4444

Everything seems good Do you have any problems?

Your java is old, please update it

Please Update your Java and Remove old Java Versions

[*] Download the latest version of Java Runtime Environment (JRE) 6u1 .<== scroll down the list to find THIS entry
[*] Click the "Download" button to the right.
[*] Check the box that says: "Accept License Agreement".
[*] The page will refresh.
[*] Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Remove older Java Versions:

[*] Close any programs you may have running - especially your web browser.
[*] Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
[*] Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*] Click the Remove or Change/Remove button.
[*] Repeat as many times as necessary to remove each Java versions.
[*] Reboot your computer once all Java components are removed.

Install latest Java Version:

[*] From your desktop, double-click on jre-6-windows-i586.exe to install the newest version.