TOPSECURITYSITE.NET??

blondman · Jun 17, 2006

Hello again, I've had some headaches!!!! My computer is now crashing so often I barely managed post this! Thank you so much for everyone who's trying to help, it is so much appreciated!!!!!

searay185 · Jun 17, 2006

Okay soo here are the logs you wanted me too post (this is after i ran all the clean ups and such)...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:07:49 PM, 6/17/2006
+ Report-Checksum: 5FB4692

+ Scan result:

HKLM\SOFTWARE\Classes\YSBactivex.Installer.1 -> Adware.YourSiteBar : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\HJT\backups\backup-20060617-200551-230.dll -> Adware.WinAD : Cleaned with backup
C:\HJT\backups\backup-20060617-200552-918.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll -> Downloader.IstBar.fa : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\update.exe -> Dropper.Small.adh : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> Downloader.IstBar.gz : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\sqgacaaa.exe -> Dropper.Agent.ns : Cleaned with backup

::Report End

_________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:10:56 PM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis_v1.99.1.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerPlus] "C:\Program Files\AIM PowerPlus\AIMP.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146056136561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146056328280
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

_______________________________________________

SmitFraudFix v2.61

Scan done at 20:33:54.07, Sat 06/17/2006
Run from D:\Pat's Stuff\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"="OLE Module"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"

[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"

[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\ms1.exe Deleted
C:\WINDOWS\tool1.exe Deleted
C:\WINDOWS\tool2.exe Deleted
C:\WINDOWS\tool3.exe Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\SLEASM~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\asxbbx.dll -> Missing File

C:\WINDOWS\System32\rmzdzx.dll -> Missing File

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"="OLE Module"

»»»»»»»»»»»»»»»»»»»»»»»» End

JaPK · Jun 17, 2006

@kaleed

OK almost clean.

Install a firewall.

Move HijackThis into its own folder C:\HJT

Open Notepad
-> copy the following lines into a new document:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"=-

[-HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]

[-HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.

Fix this entry with HijackThis:
O2 - BHO: (no name) - {9D177C4E-765C-4DCC-8241-7E83DF6CAABB} - C:\WINDOWS\system32\awtst.dll (file missing)

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files
* Copy/Paste the following two lines to the upper field:

C:\WINDOWS\SYSTEM32\efcbaww.dll
C:\WINDOWS\system32\wwabcfe.*

* Click Add Files and click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

Post a new HijackThis log and the contents of C:\vundofix.txt and the smitfraudfix log.

---------------------------------------------------------------------------------------------------------------

@blondman

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Ok, you got some infections on your computer....

Cleaning instructions:

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Go to Control Panel -> Add/Remove programs -> Remove PuritySCAN By OIN, OuterInfo, OIN if found

If you can't find PuritySCAN By OIN, OuterInfo, OIN from the list, download this uninstaller -> http://www.outerinfo.com/OiUninstaller.exe
Run the uninstaller, instructions here if needed -> http://www.outerinfo.com/howto.html

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options

Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"

->Search for this and delete if found: cmd32.exe

Delete this folder if found:
C:\Program Files\PurityScan

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.

Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt

---------------------------------------------------------------------------------------------------------------

@searay185

Not clean yet...

Open Notepad
-> copy the following lines into a new document:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"=-

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.

Run a scan with Panda Active Scan -> http://www.pandasoftware.com/products/ActiveScan.htm
When it is ready, post its log to here.

Download and run a scan with -> http://www.bleepingcomputer.com/files/winpfind.php
Post its log to here.

Post also a new HijackThis log to here.

---------------------------------------------------------------------------------------------------------------

@Lowe017

Please post a HijackThis log to here and we'll get you cleaned.

Intructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)

blondman · Jun 18, 2006

Logfile of HijackThis v1.99.1
Scan saved at 10:17:22, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121950186655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134821759874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

blondman · Jun 18, 2006

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:51:44, 18/06/2006
+ Report-Checksum: F92C31B3

+ Scan result:

[228] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Cleaned without backup
[276] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[288] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[452] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[520] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[572] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[956] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
C:\Documents and Settings\User\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\My Shared Folder\Nero 5.5.9.14 Full + All Plugins Updates + Serial Keygen.exe -> Worm.Steph : Cleaned without backup
C:\My Shared Folder\Nero Burning ROM crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\My Shared Folder\psp movie creator keygen.exe -> Dropper.Agent.xd : Cleaned without backup
C:\My Shared Folder\QuickTime.Player.Pro.v7.0.Final.Crack-Keygen.WinAll.zip/dbc-crack.exe -> Adware.Visua : Cleaned without backup
C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Cleaned without backup
C:\WINDOWS\system32\opnkhhe.dll -> Adware.Virtumonde : Cleaned without backup
C:\WINDOWS\Temp\WSu.exe -> Adware.PurityScan : Cleaned without backup
C:\WINDOWS\User32\ACDSee 5.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Ad-aware 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Age of Empires 2 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Animated Screen 7.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Anno 1503_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\AOL Instant Messenger.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\AquaNox2 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Audiograbber 2.05.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\BabeFest 2003 ScreenSaver 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Babylon 3.50b reg_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Battlefield1942_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Battlefield1942_keygen.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Business Card Designer Plus 7.9.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\C&C Generals_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\C&C Renegade_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Clone CD 5.0.0.3 (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Clone CD 5.0.0.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Coffee Cup Free HTML 7.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Cool Edit Pro v2.55.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Diablo 2 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectDVD 5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectX Buster (all versions).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectX InfoTool.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DivX Video Bundle 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Download Accelerator Plus 6.1.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DVD Copy Plus v5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DVD Region-Free 2.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FIFA2003 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Final Fantasy VII XP Patch 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Flash MX crack (trial).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FlashGet 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FreeRAM XP Pro 1.9.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GetRight 5.0a.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Global DiVX Player 3.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Gothic 2 licence.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GTA 3 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GTA 3 patch (no cd).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Guitar Chords Library 5.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Hitman_2_no_cd_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Hot Babes XXX Screen Saver.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Lite (new).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Pro 2003a.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Pro 2003b (new beta).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\iMesh 3.6.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\iMesh 3.7b (beta).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\IrfanView 4.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Hack 2.5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Lite (New).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Speedup 3.6.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Links 2003 Golf game (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Living Waterfalls 1.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Mafia_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Matrix Screensaver 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\MediaPlayer Update.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\mIRC 6.40.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\mp3Trim PRO 2.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\MSN Messenger 5.2.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\NBA2003_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Need 4 Speed crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Nero Burning ROM crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Netfast 1.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Network Cable e ADSL Speed 2.0.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Neverwinter_Nights_licence.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\NHL 2003 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Nimo CodecPack (new) 8.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\PalTalk 5.01b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Pop-Up Stopper 3.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Popup Defender 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\QuickTime_Pro_Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Serials 2003 v.8.0 Full.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\SmartFTP 2.0.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\SmartRipper v2.7.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Space Invaders 1978.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Splinter_Cell_Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Steinberg_WaveLab_5_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Trillian 0.85 (free).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\TweakAll 3.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Unreal2_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Unreal2_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_keygen.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_no cd (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_patch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WarCraft_3_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Winamp 3.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WindowBlinds 4.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WinOnCD 4 PE_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WinZip 9.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Yahoo Messenger 6.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Zelda Classic 2.00.exe -> Worm.Tanked.14 : Cleaned without backup

::Report End

blondman · Jun 18, 2006

SmitFraudFix v2.61

Scan done at 19:49:04.70, Sun 18/06/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"

[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\yvvdj.dll -> Missing File

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"

[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

blondman · Jun 18, 2006

Hi, I've followed cleaning instructions, thanks, when I open Internet Explorer it usally closes almost immediatly or displays error, 'Internet Explorer has encountered a problem and needs to close',etc, thankyou for helping me, I looking forward to conquering this infection(s)!!!!!! Cheers!

Torpedo12 · Jun 18, 2006

From Torpedo12, thanks.

------------------hijackthis-----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 下午 08:31:31, on 2006/6/18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
H:\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall 線上掃&#27602 - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F831FA0-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控&#21046 - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563721-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控&#21046 - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wingba32 - C:\WINNT\SYSTEM32\wingba32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

---------------------------------------------------------
ewido anti-malware - 扫描记录
---------------------------------------------------------

+ 创建于: 下午 08:17:24, 2006/6/18

----------------------rapport.txt------------------------
SmitFraudFix v2.61

Scan done at 20:26:41.21, 2006/06/18 星期日
Run from C:\Documents and Settings\郭青庭\桌面\1\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
Fix ran in safe mode

遙遙遙遙遙遙遙遙遙遙遙遙 Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}"="alongshore"

[HKEY_CLASSES_ROOT\CLSID\{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}\InProcServer32]
@="C:\WINNT\System32\yhbdupd.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}\InProcServer32]
@="C:\WINNT\System32\yhbdupd.dll"

遙遙遙遙遙遙遙遙遙遙遙遙 Killing process

遙遙遙遙遙遙遙遙遙遙遙遙 Deleting infected files

C:\WINNT\.protected Deleted
C:\WINNT\system32\atmclk.exe Deleted
C:\WINNT\system32\dcomcfg.exe Deleted
C:\WINNT\system32\hp???.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\regperf.exe Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\ts.ico Deleted
C:\WINNT\system32\yhbdupd.dll Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\郭青庭\桌面\Remove Spyware.url Deleted
C:\DOCUME~1\ALLUSE~1\桌面\Online Security Guide.url Deleted
C:\DOCUME~1\郭青庭\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\SpywareQuake.com\ Deleted

遙遙遙遙遙遙遙遙遙遙遙遙 Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINNT\System32\yhbdupd.dll -> Missing File

遙遙遙遙遙遙遙遙遙遙遙遙 Deleting Temp Files

遙遙遙遙遙遙遙遙遙遙遙遙 Registry Cleaning

Registry Cleaning done.

遙遙遙遙遙遙遙遙遙遙遙遙 After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

遙遙遙遙遙遙遙遙遙遙遙遙 End

JaPK · Jun 18, 2006

Hi blondman, not clean yet.

Install a firewall.

Open Notepad
-> copy the following lines into a new document:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"=-

[-HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]

[-HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files
* Copy/Paste the following two lines to the upper field:

C:\WINDOWS\system32\opnkhhe.dll
C:\WINDOWS\system32\ehhknpo.*

* Click Add Files and click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Make your hidden files visible.

Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options

Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"

->Search for this: cmd32.exe
Post its location to here.

Delete this folder if found:
C:\WINDOWS\User32

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

Post a new HijackThis log and the contents of C:\vundofix.txt and the location of cmd32.exe

------------------------------------------------------

@Torpedo12

Ok better, but we'll have to use a stronger tool....

1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
Files to delete

Files to delete:
C:\WINNT\SYSTEM32\wingba32.dll

Click to expand...

Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .

4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.

5. Copy/paste contents of avenger.txt along with a fresh HjT-log.

JaPK · Jun 18, 2006

Double post, sorry

Torpedo12 · Jun 18, 2006

From Torpedo12, thanks.

----------------------------------avenger.txt-----------------------
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wjvdsfdc

*******************

Script file located at: \??\C:\WINNT\System32\xyidxlbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\SYSTEM32\wingba32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

---------------------hijackthis.log-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 下午 10:46:31, on 2006/6/18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\conime.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Tool\1\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall 線上掃&#27602 - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F831FA0-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控&#21046 - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563721-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控&#21046 - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wingba32 - wingba32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

searay185 · Jun 18, 2006

okay... so... when i go to run a Panda Avtive scan its gets to this menu and doesnt do anything...any idea?

"ActiveScan has started

You are about to start the scan and get a second opinion on the security of your PC.

Please wait a moment while ActiveScan completes the download."

Ive waited 10 minutes and nothing happens

Is there anything else i could use?

bufdaman · Jun 20, 2006

deleted to save space

blondman · Jun 19, 2006

SmitFraudFix v2.61

Scan done at 19:41:33.90, Mon 19/06/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

blondman · Jun 19, 2006

Logfile of HijackThis v1.99.1
Scan saved at 19:45:19, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85FE251B-E201-4B78-8942-AC8EF17783E5} - C:\WINDOWS\system32\awtss.dll (file missing)
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121950186655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134821759874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

blondman · Jun 19, 2006

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 19:32:34 19/06/2006

Listing files found while scanning....

C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.bak2
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\awtss.dll
Attempting to delete C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstwa.bak2
C:\WINDOWS\system32\sstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\awtss.dll Has been deleted!

Performing Repairs to the registry.
Done!

blondman · Jun 19, 2006

Hi, the location of cmd32.exe not found anymore since I deleted it yesterday. Thank you so much for all your help so far!!!

JaPK · Jun 19, 2006

@Torpedo12

Ok, almost clean.

Fix this entry with HijackThis:
O20 - Winlogon Notify: wingba32 - wingba32.dll (file missing)

Reboot.

Post a fresh HijackThis log to here.

--------------------------------------------------------------------------------------------------------

@searay185

Yes, there is...

Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
Run the file mwav.exe and unzip it to its default location, C:\Kaspersky

1. Updating the scanner (close the eScan window if open)
-> Go to My Computer
-> C:\
-> Kaspersky
-> Run the file kavupd.exe, it starts downloading updates
-> When downloading is finished, go to C:\Downloads
-> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
-> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
-> Answer Yes to all when it asks about replacing files
-> Now the scanner has been updated

2. Scanner settings
-> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
-> The scanner window opens
-> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
-> When ready, press the Scan Clean button
-> Scanning for infections begins

3. Posting the results
-> When the scan has finished (scan may take a quite long time), you'll need to post the findings
-> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
-> Click the field, press CTRL+A, CTRL+C
-> Then open Notepad and paste the findings into a new document by pressing CTRL+V
-> Save the document to your desktop
-> Post the contents of that textfile to here

--------------------------------------------------------------------------------------------------------

@bufdaman

Ok, you got some infections on your computer....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Update your Ewido.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Go to Control Panel -> Add/Remove programs -> Remove BPS Spyware Remover, PartyPoker if found

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files
* Copy/Paste the following two lines to the upper field:

C:\WINDOWS\SYSTEM32\hgghebc.dll
C:\WINDOWS\system32\cbehggh.*

* Click Add Files and click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\hgghebc.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [DNHelper32] C:\WINDOWS\System32\DNHlp32.exe
O4 - HKLM\..\Run: [Connection] C:\Progra~1\common~1\Proxy.exe
O4 - HKLM\..\Run: [Shell API32] svcnet.exe
O4 - HKLM\..\Run: [loadMectw2] C:\Program Files\rundll32.exe
O4 - HKCU\..\Run: [Shell API32] svcnet.exe
O4 - HKCU\..\Run: [BPS Spyware Remover] C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {10C5E1C2-40F5-1E6B-00A5-6BB16900DA0A} - http://85.255.113.214/1/gdnUS2338.exe
O20 - AppInit_DLLs: PAVWAIT.DLL
O20 - Winlogon Notify: hgghebc - C:\WINDOWS\SYSTEM32\hgghebc.dll
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: Shell32 - Unknown owner - C:\WINDOWS\System32\com\oboe32\shell32.exe (file missing)

Open Notepad
-> copy the following lines into a new document:

@echo off
sc stop Shell32
sc delete Shell32

Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\WINDOWS\System32\com
C:\Program Files\BulletProofSoft.com
C:\Program Files\PartyGaming

Delete these files (if found):
C:\WINDOWS\System32\DNHlp32.exe
C:\Progra~1\common~1\Proxy.exe
C:\Program Files\rundll32.exe

Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options

Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"

->Search for this and delete if found: svcnet.exe

Run ATF Cleaner -> Check select all -> Press Empty selected

Scan and clean your computer with Ewido and save the report.

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.

Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Clean the Recycle bin and make your hidden files visible again.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt
-> contents of C:\vundofix.txt

--------------------------------------------------------------------------------------------------------

@blondman

Ok almost clean...

Fix these entries with HijackThis:

O2 - BHO: (no name) - {85FE251B-E201-4B78-8942-AC8EF17783E5} - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)

Reboot.

Post a fresh HijackThis log to here.

blondman · Jun 20, 2006

Logfile of HijackThis v1.99.1
Scan saved at 19:17:49, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121950186655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134821759874
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

blondman · Jun 20, 2006

Hi, there was some strange error when I fixed the selected items in Hijackthis, I can't remember what it said. I rebooted, scanned again, and saved the log file which I just posted. Cheers!

Log in or Sign up

TOPSECURITYSITE.NET??

blondman Member

searay185 Member

JaPK Regular member

blondman Member

blondman Member

blondman Member

blondman Member

Torpedo12 Member

JaPK Regular member

JaPK Regular member

Torpedo12 Member

searay185 Member

bufdaman Member

blondman Member

blondman Member

blondman Member

blondman Member

JaPK Regular member

blondman Member

blondman Member

Share This Page

Log in or Sign up

TOPSECURITYSITE.NET??

blondman Member

searay185 Member

JaPK Regular member

blondman Member

blondman Member

blondman Member

blondman Member

Torpedo12 Member

JaPK Regular member

JaPK Regular member

Torpedo12 Member

searay185 Member

bufdaman Member

blondman Member

blondman Member

blondman Member

blondman Member

JaPK Regular member

blondman Member

blondman Member

Share This Page

Useful Searches