Need Help Removing Spyware! (ATTN: Kemisti or anyone else?)

Puanani · Apr 27, 2006

[bold]Here's my dilemma:

My start page is stuck at http://www.theguardservices.com, and a little red/white box keeps popping up in the corner telling me my computer is infected with a virus and if I click it, downloads SpyFalcon. There is also a strange icon on my task bar.[/bold]

Here is my HjT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:04:08 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KLQ #13\Local Settings\Temporary Internet Files\Content.IE5\SXUBQRG5\HijackThis_v1.99.1[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\fccbb.dll
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpD56C.tmp
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\ddcda.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinFixer2006] "C:\Program Files\WinFixer_2006\uwfx6.exe" /scan
O4 - HKCU\..\Run: [OregonTrail.exe] C:\DOWNLO~1\OREGON~1.EXE /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c266.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/See...56f6d4055674:f4bea29dfa52efe895c6f4e45dbe2807
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: ddcda - C:\WINDOWS\system32\ddcda.dll
O20 - Winlogon Notify: fccbb - C:\WINDOWS\SYSTEM32\fccbb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[bold]I downloaded SmitfraudFix and this the rapport file:[/bold]

SmitFraudFix v2.34

Scan done at 21:47:22.09, Tue 04/25/2006
Run from C:\Documents and Settings\KLQ #13\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

[bold]PLEASE HELP![/bold]

JaPK · Apr 27, 2006

Hi Puanani.

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Ok, you got some infections....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
We'll use this later.

You have the outdated version of smitfraudfix, remove the old version and download the latest one.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Save this textfile to your desktop.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Go to Control Panel -> Add/Remove programs -> Remove BearShare, WinFixer 2006 if found

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.ya...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.ya...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.ya...
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [WinFixer2006] "C:\Program Files\WinFixer_2006\uwfx6.exe" /scan
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c266.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c9.cab?a766ad8e3...

.
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\BearShare
C:\Program Files\WinFixer_2006

Empty the Recycle Bin

Scan and clean your computer with Ewido and save the log file.

Restart your computer normally.

Post the following logs to here and we'll continue the cleaning process:
-> a fresh HijackThis log
-> Ewido's log
-> SmitfraudFix log (the one that you saved to your desktop earlier)
-> contents of C:\vundofix.txt

Your computer is not clean yet!

Puanani · Apr 28, 2006

[bold]Thank you SO much for your time. Here are those logs:[/bold]

[bold]HjT Log:[/bold]
Logfile of HijackThis v1.99.1
Scan saved at 12:10:50 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis_v1.99.1.exe

O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpC8F0.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[bold]Ewido Log:[/bold]
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:19:31 PM, 4/28/2006
+ Report-Checksum: F7DDC75C

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EF130E77-0A34-4365-BFB7-218FD3DDCD5F} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473} -> Adware.SysProtect : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\SysProtect -> Adware.SysProtect : Cleaned with backup
HKU\S-1-5-21-1960408961-1708537768-1060284298-1004\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1960408961-1708537768-1060284298-1004\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1960408961-1708537768-1060284298-1004\Software\SysProtect -> Adware.SysProtect : Cleaned with backup
C:\Adobe Premiere Elements\Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA25DLOI.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA25H9CY.txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA3P1FH6.txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA3U8JV9.txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA45QX9U.txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA4XQ3SP.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CA85E6FN.txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAGPMR0H.txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAGWHTVQ.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAHS071T.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAKP678T.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CANTXFUM.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAOHUT70.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAU3G56R.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAUD0TW0.txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAUNC9UR.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAWVFZ2W.txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@CAY7GX6J.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [10].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [11].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [12].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [13].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [24].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [29].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [36].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [39].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [40].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [43].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [45].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [4].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [52].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [53].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [56].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [65].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [76].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [77].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [83].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [85].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [87].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [88].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [94].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [95].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [98].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\KLQ #13\Cookies\klq #13@klq [9].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\KLQ #13\Desktop\MUSIQ\dl music\MSN Messenger 8 Plus.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [15].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [17].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [18].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [19].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [20].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [22].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [25].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [26].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [27].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [31].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [32].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [34].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [35].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [39].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [4].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [7].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Cookies\klq #13@klq [9].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temp\Temporary Directory 1 for Adobe Premiere Elements ver. 2.0 WinXP.zip\Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\KLQ #13\Local Settings\Temporary Internet Files\Content.IE5\EY79MLKD\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Downloads\OregonTrail-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\MSN Messenger 8 Plus\Setup.exe -> Worm.VB.an : Cleaned with backup
C:\My Downloads\The Print Shop 21 Deluxe.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Program Files\SysProtect -> Adware.SysProtect : Cleaned with backup
C:\Program Files\SysProtect\lock.dat -> Adware.SysProtect : Cleaned with backup
C:\The Print Shop 21 Deluxe\Setup.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\system32\atmclk.exe -> Downloader.Zlob.mk : Cleaned with backup
C:\WINDOWS\system32\byvvw.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\byxus.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\fccbb.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\fcyaw.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\nnnki.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\urqpp.dll -> Adware.Virtumonde : Cleaned with backup

::Report End

[bold]SmitFraudFix Log:[/bold]
SmitFraudFix v2.37

Scan done at 7:47:52.28, Fri 04/28/2006
Run from C:\Documents and Settings\KLQ #13\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\twain32.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KLQ #13\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[bold]VundoFix Log:[/bold]

VundoFix V4.2.72

Checking Java version...

Java version is 1.4.2.3

Scan started at 8:03:12 AM 4/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\fccbb.dll
C:\WINDOWS\system32\ddcda.dll
C:\WINDOWS\system32\adcdd.ini
C:\WINDOWS\system32\adcdd.bak1
C:\WINDOWS\system32\adcdd.bak2

C:\WINDOWS\system32\adcdd.bak1
C:\WINDOWS\system32\adcdd.bak2
C:\WINDOWS\system32\adcdd.ini
C:\WINDOWS\system32\ddcda.dll
C:\WINDOWS\system32\xaccf.bak1
C:\WINDOWS\system32\xaccf.bak2
C:\WINDOWS\system32\xaccf.tmp
C:\WINDOWS\system32\xaccf.ini
C:\WINDOWS\system32\xaccf.ini2
C:\WINDOWS\system32\xaccf.ini2
C:\WINDOWS\system32\xaccf.bak2
C:\WINDOWS\system32\xaccf.tmp
C:\WINDOWS\system32\xaccf.ini
C:\WINDOWS\system32\xaccf.ini2
Attempting to delete C:\WINDOWS\system32\fccbb.dll
C:\WINDOWS\system32\fccbb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddcda.dll
C:\WINDOWS\system32\ddcda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\adcdd.ini
C:\WINDOWS\system32\adcdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\adcdd.bak1
C:\WINDOWS\system32\adcdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adcdd.bak2
C:\WINDOWS\system32\adcdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaccf.bak1
C:\WINDOWS\system32\xaccf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaccf.bak2
C:\WINDOWS\system32\xaccf.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaccf.tmp
C:\WINDOWS\system32\xaccf.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaccf.ini
C:\WINDOWS\system32\xaccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xaccf.ini2
C:\WINDOWS\system32\xaccf.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

[bold]Hopefully that looks better? Also, I can't ever see flash sites or download Macromedia Flash - do you know why? Thanks again![/bold]

JaPK · Apr 28, 2006

Ok almost clean and sorry for the delay, I've been busy....

Cleaning instructions:

Restart your computer to the safemode and choose your normal user account. -> http://www.pchell.com/support/safemode.shtml

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Post a new HijackThis log and the contents of C:\rapport.txt. to here.

Puanani · Apr 29, 2006

[bold]No problem, I appreciate your help - the box in the corner doesn't appear anymore and we've gotten rid of www.theguardservices.com as a start page. Thank you so much!

Here's the HjT Log:[/bold]
Logfile of HijackThis v1.99.1
Scan saved at 7:58:49 AM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\HJT\HijackThis_v1.99.1.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[bold]Here's the SmitFraudFix Log (rapport.txt):[/bold]

FraudFix v2.37

Scan done at 7:44:39.03, Sat 04/29/2006
Run from C:\Documents and Settings\KLQ #13\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

JaPK · Apr 29, 2006

Ok you're looking clean but just to be sure, do this:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

Then you should update your Java: (the trojan.vundo that you had spreads through a vulnerability in older java versions)

1. Click Start-> Control panel and double-click Java icon (coffee cup)
2. Move to Update tab and update Java by clicking "Update Now". After that do a restart.
3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
4. After restart go back to your Java settings thru control panel (Start->control panel->java).
5. Select Temporary Internet Files and click Delete Files.
6. Make sure that all these three are checked:

Downloaded Applets
Downloaded Applications
Other files

7. Click ok in Delete Temporary Internet Files window (Attention: This removes all loaded applications and applets from cache)
8. Click ok to close Java window.

Puanani · Apr 30, 2006

Here's my SmitFraudFix log:

SmitFraudFix v2.37

Scan done at 8:05:08.06, Sun 04/30/2006
Run from C:\Documents and Settings\KLQ #13\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KLQ #13\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

And I'll work on the Java thing now...do you think that will enable me to see flash sites?

Thanks again!!

JaPK · Apr 30, 2006

Ok you're clean now =)

From where have you tried to download flash player? From here ? -> http://www.macromedia.com/downloads/

Puanani · Apr 30, 2006

Yes, and nothing pops up to run the download. Does it tell you anything in any of those logs why it wouldn't download??

Thanks for all your help again..I really appreciate it!!

JaPK · Apr 30, 2006

Ok, are you getting some Internet Explorer security warning? Like this one -> http://www.adobe.com/shockwave/download/images/gold_bar.gif

And you could try to download from here too -> http://www.adobe.com/downloads/

Puanani · May 1, 2006

No, the gold bar doesn't even pop up. Where it should be loading, it shows as an image box with the red x in the top left corner. Nothing pops up at all.

JaPK · May 1, 2006

Ok, check this troubleshooting guide -> http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_19166

Puanani · May 1, 2006

I'll try that.

Thanks again for everything!

JaPK · May 1, 2006

Ok you're welcome =)

Tell me if it still doesn't work....

Log in or Sign up

Need Help Removing Spyware! (ATTN: Kemisti or anyone else?)

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Share This Page

Log in or Sign up

Need Help Removing Spyware! (ATTN: Kemisti or anyone else?)

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Puanani Member

JaPK Regular member

Share This Page

Useful Searches