Unclean Computer - UlWindowSeek popups

DiRect · May 20, 2006

Hi,
My computer is unclean, and I keep recieving these UlWindowSeek popups. I had to remove SpyFalcon and something called "Yazzle Soduku" from the computer, and after that I started getting these pop-ups. Just now, Norton Antivirus also detected Trojan.Nebular (supposedly came from the popups). Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:48 PM, on 5/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Can someone please help, and tell me the steps into fixing my PC?

Regards,
DiRect

DiRect · May 21, 2006

Hi,
Just to update, the winmmz32.dll file that is missing is the one I deleted because it was the file with the virus. Norton Antivirus could not delete it, because access was denied so I used KillBox to kill it on restart. Please, can someone help me, I need to get this fixed as fast as possible.

Regards,
DiRect

JaPK · May 21, 2006

Hi DiRect.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

DiRect · May 21, 2006

Hi,
Here is the log you asked for:

SmitFraudFix v2.45

Scan done at 14:26:43.60, Sun 05/21/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\appmagr.dll FOUND !
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Help is appreciated, thanks !

Regards,
DiRect

JaPK · May 21, 2006

Cleaning instructions:

Update Ewido.

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)

Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the log file.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log to
-> contents of C:\rapport.txt

DiRect · May 21, 2006

Hi,
Thanks a lot for your help, here are the log files you requested:

RAPPORT
SmitFraudFix v2.45

Scan done at 15:02:34.46, Sun 05/21/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

(sorry, I accidently cleaned it again, and the other log file got replaced, but it did delete all the infections)

EWIDO
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:20:26 PM, 5/21/2006
+ Report-Checksum: B5922790

+ Scan result:

:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.305:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.370:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.373:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\193x94p7.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup

::Report End

HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 3:23:08 PM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Hope it's clean now !

Regards,
DiRect

JaPK · May 21, 2006

Ok good, you're looking clean

You have an outdated Java, the latest version is 1.5.0_06 and you're having 1.5.0
You should update your Java because the old version has all kinds of vulnerabilites.

So update your Java:

1. Click Start-> Control Panel and double-click Java icon (coffee cup)
2. Move to "Update" tab and update Java by clicking "Update Now".
3. Do a restart.
4. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
5. Remove the old Java from the Control Panel -> Add/Remove Programs if still found, it should be named like this J2SE Runtime Environment 5.0

Now that you're clean, here are some tips how to stay clean.

1. Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

2. Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

3. Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

4. Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

5. Use Spybot S&D -> http://www.bleepingcomputer.com/forums/?showtutorial=43
Download and install Spybot S&D. Update it and scan your computer regularly with it.

6. Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

7. Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed.

8. Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

9. Use Firefox browser -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer. (My favourite)

10. Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

11. Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

12. Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean

znurtedik · May 28, 2006

Hello, i have the same problem with Direct and i tried to follow things you have posted here but i finally decided it is better to post reports i got from Smitfraudfix and after that hijackthis..

here is my smitfraudfix rapport..

SmitFraudFix v2.49

Scan done at 12:38:02,34, 28.05.2006
Run from C:\Documents and Settings\Nur\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nur\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nur\FAVORI~1

C:\DOCUME~1\Nur\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e04408db-4812-4478-8d4d-e46edcffd3b6}"="AutoDisc Ware"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[bold]and after that i did hijackthis and i recieved this report...[/bold]

Logfile of HijackThis v1.99.1
Scan saved at 12:30:39, on 28.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dns\bin\named.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Nur\Desktop\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 84.44.114.44 eksisozluk.com
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Gpl help owns active] C:\Documents and Settings\All Users\Application Data\tons glue gpl help\Ball Tray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dateface] C:\DOCUME~1\Nur\APPLIC~1\BENDME~1\HideLoud.exe
O4 - HKCU\..\Run: [5dd33f6.exe] C:\Documents and Settings\Nur\Local Settings\Application Data\5dd33f6.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B75B616-4C16-4D31-B8D1-0BC5FDEA8442}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D9B9A41-285D-40D6-ADBF-6BC58063E829}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: twdns - Unknown owner - C:\WINDOWS\system32\dns\bin\named.exe

[bold]please lead me to delete this too..[/bold]

JaPK · May 28, 2006

Hi znurtedik.

You don't have a firewall or an antivirus on your computer. Download and install one firewall and one antivirus.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

These are good (free) antiviruses:
AVG Antivirus --> http://www.grisoft.com
Avast --> http://www.avast.com

Ok, you got some infections on your computer....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Gpl help owns active] C:\Documents and Settings\All Users\Application Data\tons glue gpl help\Ball Tray.exe
O4 - HKCU\..\Run: [dateface] C:\DOCUME~1\Nur\APPLIC~1\BENDME~1\HideLoud.exe
O4 - HKCU\..\Run: [5dd33f6.exe] C:\Documents and Settings\Nur\Local Settings\Application Data\5dd33f6.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

Fix this too if you haven't set it:
O1 - Hosts: 84.44.114.44 eksisozluk.com

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Documents and Settings\All Users\Application Data\tons glue gpl help
C:\Documents and Settings\Nur\Application Data\BENDME~1

Delete these files (if found):
C:\Documents and Settings\Nur\Local Settings\Application Data\5dd33f6.exe

Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options

Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"

->Search for this and delete if found: winwea32.dll

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.

Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Download Findlop by Metallica and save it t your desktop -> http://metallica.geekstogo.com/findlop.zip

Extract the zip file and doubleclick the file findlop.bat, answer yes to any questions.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\rapport.txt
-> contents of C:\findlop.txt

shobhit · May 28, 2006

HI,
I AM ALSO HAVING THIS PROB...
This is my first post here...
I hope i get help here...
I am getting pop ups called 'ulwindowseek' and 'ulwindowurl'

This is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:00:22 PM, on 5/28/2006
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Shobhit Is GREAT\Desktop\mac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.128.101.236:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [SysIdle] "C:\WINDOWS\SysIdle.exe"
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Y!mLite - {9B04D939-D9D1-45e0-9FBF-5A31AAF7A68A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144472597140
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: msnim - 0 - (no file)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - F:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PLZ HELP...

JaPK · May 28, 2006

Hi shobhit, ok you got some infections...

At first, download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Then we'll start the cleaning process.

shobhit · May 28, 2006

My SmitFraud scan reults:

SmitFraudFix v2.49b

Scan done at 9:40:39.17, Mon 05/29/2006
Run from C:\Documents and Settings\Shobhit Is GREAT\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shobhit Is GREAT\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHOBHI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

JaPK · May 29, 2006

Hi shobhit, lets get you cleaned then.......

Cleaning instructions:

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [SysIdle] "C:\WINDOWS\SysIdle.exe"
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O18 - Protocol: msnim - 0 - (no file)
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these files (if found):
C:\WINDOWS\SysIdle.exe
C:\WINDOWS\SYSTEM32\winosz32.dll

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log

znurtedik · May 29, 2006

Hello,today i did every step and i only had one problem.. it was like this;
[bold] Can not delete winwea32.dll : Access is denied.
Make sure that disk is not full or write-protected and that file is not currently in use [/bold]

beside that everything worked out..

here is [bold] Smitfraudfix [/bold] rapport

SmitFraudFix v2.49

Scan done at 17:23:25,71, 29.05.2006
Run from C:\Documents and Settings\Nur\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e04408db-4812-4478-8d4d-e46edcffd3b6}"="AutoDisc Ware"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\Nur\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

here is [bold] Ewido [/bold]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:57:42, 29.05.2006
+ Report-Checksum: 48924355

+ Scan result:

:mozilla.17:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.305:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.306:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.403:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.512:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.513:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.554:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.564:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.566:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.591:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.592:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.600:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.601:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.602:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.605:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.606:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.622:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.623:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.624:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.625:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.626:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.648:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.649:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.650:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.651:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.652:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.653:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.654:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.655:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.656:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.657:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.658:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.659:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.660:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.661:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.662:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.663:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.664:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.665:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.666:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.667:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.668:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.669:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.670:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.671:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.672:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.673:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.674:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.675:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.676:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.677:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.693:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.694:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.712:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.713:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.714:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.737:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.753:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup
:mozilla.754:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup
:mozilla.785:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.788:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.789:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.790:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.791:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.792:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.840:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.844:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.879:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.905:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.906:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.907:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.914:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.915:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.916:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.917:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.918:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.919:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.928:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup
:mozilla.937:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.938:C:\Documents and Settings\Nur\Application Data\Mozilla\Firefox\Profiles\arjcf6uj.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Nur\Cookies\nur@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\win1D3E.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup

::Report End

here is [bold] findlop.txt [/bold]

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A894FE0591877479.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\nur\applic~1\bendme~1\rule proc dog.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Nur'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 05/29/2006 18:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/09/1995
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

here is [bold] hijackthis [/bold]

Logfile of HijackThis v1.99.1
Scan saved at 18:02:45, on 29.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dns\bin\named.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HJT\HijackThis_v1.99.1.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B75B616-4C16-4D31-B8D1-0BC5FDEA8442}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D9B9A41-285D-40D6-ADBF-6BC58063E829}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: twdns - Unknown owner - C:\WINDOWS\system32\dns\bin\named.exe

[bold] P.S. i am still recieving those pop-up windows even while i was in safe mode and even in scaning ewido and after ewido [/bold]

znurtedik · May 29, 2006

[bold] Lastest News [/bold]

avast! anti virus program deleted winwea32.dll since virus scan no pop-up windows recieved!

Thank you very much for your help [bold] JaPK [/bold]

regards

JaPK · May 29, 2006

@znurtedik:

Ok good, almost clean...

Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.

Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.

Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

c:\windows\tasks\A894FE0591877479.job

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.

(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

Then run the Findlop again.

Post the following logs to here:
-> a fresh HijackThis log
-> contents of C:\findlop.txt

znurtedik · May 29, 2006

Hello again.. i did everything without having problems..

[bold] hijackthis [/bold]

Logfile of HijackThis v1.99.1
Scan saved at 02:18:04, on 30.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dns\bin\named.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis_v1.99.1.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B75B616-4C16-4D31-B8D1-0BC5FDEA8442}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D9B9A41-285D-40D6-ADBF-6BC58063E829}: NameServer = 127.0.0.1,10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{305CB6AE-B27B-466D-A3F1-D62EF57AE6E2}: NameServer = 127.0.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: twdns - Unknown owner - C:\WINDOWS\system32\dns\bin\named.exe

[bold] findlop [/bold]

[TRACE] Enumerating jobs and queues

regards

JaPK · May 30, 2006

Hi znurtedik, you're looking clean, are you having any problems?

You should install a firewall...

You have an outdated Java, the latest version is 1.5.0 update 7 and you're having 1.5.0 update 6

So we are going to update your Java because the old version has all kinds of vulnerabilities:

1. Click "Start" -> "Control Panel" and double-click "Java" icon (coffee cup)
2. Move to "Update" tab and update Java by clicking "Update Now".
3. Do a restart.

4. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
5. Remove the old Java from the Control Panel -> Add/Remove Programs if still found, it should be named like this J2SE Runtime Environment 5.0 Update 6

Now that you're clean, here are some tips how to stay clean.

-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.

-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.

-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean

znurtedik · May 30, 2006

Hello.. i am going to download a firewall just now.. since that winwea32.dll is gone no pop-up windows are coming and if you say it is clean this time i trust you, man you are an expert
thank you very much [bold] JaPK [/bold]

p.s. : about java when i tried to download,it is still giving update 6

JaPK · May 30, 2006

Ok you're welcome, it is nice to hear that I could help

And that Java...update 7 was just released few days ago so they propably haven't updated the site yet...Here is a another site where you can download the latest version -> http://java.sun.com/j2se/1.5.0/download.jsp

Or then you can wait so the update comes available to internal updater, it propably takes some days...

Log in or Sign up

Unclean Computer - UlWindowSeek popups

DiRect Regular member

DiRect Regular member

JaPK Regular member

DiRect Regular member

JaPK Regular member

DiRect Regular member

JaPK Regular member

znurtedik Member

JaPK Regular member

shobhit Member

JaPK Regular member

shobhit Member

JaPK Regular member

znurtedik Member

znurtedik Member

JaPK Regular member

znurtedik Member

JaPK Regular member

znurtedik Member

JaPK Regular member

Share This Page

Log in or Sign up

Unclean Computer - UlWindowSeek popups

DiRect Regular member

DiRect Regular member

JaPK Regular member

DiRect Regular member

JaPK Regular member

DiRect Regular member

JaPK Regular member

znurtedik Member

JaPK Regular member

shobhit Member

JaPK Regular member

shobhit Member

JaPK Regular member

znurtedik Member

znurtedik Member

JaPK Regular member

znurtedik Member

JaPK Regular member

znurtedik Member

JaPK Regular member

Share This Page

Useful Searches