Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection From Email And Search Engine


  • This topic is locked This topic is locked
4 replies to this topic

#1 walkera36

walkera36

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 16 July 2007 - 12:25 AM

what happens is my outlook express main identity will not work now, and my email accnt on excite.com will not work nor the excite.com or yahoo.com search engine, when i click on a result it will just redirect me to some junk...so do i have to do the smitfraud thing again??

here is the log from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:35 AM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ehome\ehtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\PlayhouseDisneyDownloadManager.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINNT\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Administrator\My Documents\AJ\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\DllHost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.excite.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundsc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundsc.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\nxc008m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\nxc008m5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Bho - {3F96A687-6137-4ab4-887C-6E51BCC020B9} - C:\WINNT\system32\kapyfqxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CDE8EAB9-CEF3-4885-B12F-26960A25C800} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PlayhouseDisneyDownloadManager] C:\Program Files\DIGStream\PlayhouseDisneyDownloadManager.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINNT\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.excite.com
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - https://vmodlms.widerthanam.com/component/VZWDLManager.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Documents and Settings\Administrator\My Documents\AJ\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 9388 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 17 July 2007 - 05:42 PM

Hello walkera36,

so do i have to do the smitfraud thing again??


Looks like you do have it again. :thumbsup:

Please download SmitfraudFix

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 17 July 2007 - 06:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 walkera36

walkera36
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 20 July 2007 - 08:24 PM

things still didn't change though and i did again.....

SmitFraudFix v2.195

Scan done at 1:13:36.20, Fri 07/20/2007
Run from C:\Documents and Settings\Administrator\My Documents\AJ\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 pubs.mgn.net #french
127.0.0.1 1.httpdads.com
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 a.mktw.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 a207.p.f.qz3.net
127.0.0.1 a3.suntimes.com
127.0.0.1 actionsplash.com
127.0.0.1 ad.abcnews.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.adtraq.com
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 ad.be.doubleclick.net
127.0.0.1 ad.blm.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.harmony-central.com
127.0.0.1 ad.horvitznewspapers.net
127.0.0.1 ad.howstuffworks.com
127.0.0.1 ad.img.yahoo.co.kr
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.iwin.com
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.kimo.com.tw
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.moscowtimes.ru
127.0.0.1 ad.net-service.de
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.openfind.com.tw
127.0.0.1 ad.preferances.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.sales.olympics.com
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ad.sg.doubleclick.net
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.tomshardware.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.usatoday.com
127.0.0.1 ad.vol.at
127.0.0.1 ad.washingtonpost.com
127.0.0.1 ad.webprovider.com
127.0.0.1 ad01.mediacorpsingapore.com
127.0.0.1 ad08.focalink.com
127.0.0.1 ad1.aaddzz.com
127.0.0.1 ad1.peel.comwww.xbn.ru
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad2.adcept.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad2.peel.com
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad3.peel.com
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad7.internetadserver.com
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 adbanner.sweepsclub.com
127.0.0.1 adbot.com
127.0.0.1 adbureau.net
127.0.0.1 adcodes.bla-bla.com
127.0.0.1 adcontent.gamespy.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 adcreative.tribuneinteractive.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 add.yaho.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adi.mainichi.co.jp
127.0.0.1 adimage.asia1.com.sg
127.0.0.1 adimage.asiaone.com.sg
127.0.0.1 adimage.bankrate.com
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimages.go.com
127.0.0.1 adimg.com.com
127.0.0.1 adimg.egroups.com
127.0.0.1 adimg1.chosun.com
127.0.0.1 adlink.deh.de
127.0.0.1 adlog.com.com
127.0.0.1 adlui001.adlink.de
127.0.0.1 admedia.xoom.com
127.0.0.1 adng.ascii24.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 adpop.theglobe.com
127.0.0.1 adpulse.ads.targetnet.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.1for1.com
127.0.0.1 ads.adflight.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.admonitor.net
127.0.0.1 ads.adtegrity.net
127.0.0.1 ads.advance.net
127.0.0.1 ads.adviva.net
127.0.0.1 ads.amazingmedia.com
127.0.0.1 ads.as4x.tmcs.net
127.0.0.1 ads.astalavista.us
127.0.0.1 ads.belointeractive.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.bianca.com
127.0.0.1 ads.bigcitytools.com
127.0.0.1 ads.bitsonthewire.com
127.0.0.1 ads.bloomberg.com
127.0.0.1 ads.cashsurfers.com
127.0.0.1 ads.cbc.ca
127.0.0.1 ads.centralohio.com
127.0.0.1 ads.clearbluemedia.com
127.0.0.1 ads.clearchannel.com
127.0.0.1 ads.clickagents.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.colo.kiva.net
127.0.0.1 ads.columbian.com
127.0.0.1 ads.courierpostonline.com
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.currantbun.com
127.0.0.1 ads.dai.net
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 ads.desmoinesregister.com
127.0.0.1 ads.detelefoongids.nl
127.0.0.1 ads.developershed.com
127.0.0.1 ads.devx.com
127.0.0.1 ads.digitalmedianet.com
127.0.0.1 ads.discovery.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.ecircles.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.erotism.com
127.0.0.1 ads.eu.msn.com
127.0.0.1 ads.exhedra.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.filez.com
127.0.0.1 ads.floridatoday.com
127.0.0.1 ads.fool.com
127.0.0.1 ads.forbes.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.fortunecity.com
127.0.0.1 ads.fredericksburg.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.gameanswers.com
127.0.0.1 ads.gamespy.com
127.0.0.1 ads.globeandmail.com
127.0.0.1 ads.god.co.uk
127.0.0.1 ads.granadamedia.com
127.0.0.1 ads.greensboro.com
127.0.0.1 ads.guardian.co.uk
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.hitcents.com
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.hyperbanner.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.iafrica.com
127.0.0.1 ads.iambic.com
127.0.0.1 ads.icq.com
127.0.0.1 ads.ign.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.infospace.com
127.0.0.1 ads.iwon.com
127.0.0.1 ads.jacksonsun.com
127.0.0.1 ads.jpost.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.list-universe.com
127.0.0.1 ads.live365.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mcafee.com
127.0.0.1 ads.mdchoice.com
127.0.0.1 ads.mediadevil.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads.mh5.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.msn-ppe.com
127.0.0.1 ads.musiccity.com
127.0.0.1 ads.mysimon.com
127.0.0.1 ads.nandomedia.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.nerve.com
127.0.0.1 ads.netmechanic.com
127.0.0.1 ads.newcity.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.newsdigital.net
127.0.0.1 ads.newsint.co.uk
127.0.0.1 ads.newsquest.co.uk
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.northjersey.com
127.0.0.1 ads.nwsource.com
127.0.0.1 ads.nyi.net
127.0.0.1 ads.nypost.com
127.0.0.1 ads.nytimes.com
127.0.0.1 ads.ole.com
127.0.0.1 ads.paxnet.co.kr
127.0.0.1 ads.paxnet.com
127.0.0.1 ads.peel.com
127.0.0.1 ads.pennyweb.com
127.0.0.1 ads.premiumnetwork.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.rottentomatoes.com
127.0.0.1 ads.scifi.com
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.snowball.com
127.0.0.1 ads.specificpop.com
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.starnews.com
127.0.0.1 ads.statesmanjournal.com
127.0.0.1 ads.stileproject.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 ads.themes.org
127.0.0.1 ads.theolympian.com
127.0.0.1 ads.thestar.com
127.0.0.1 ads.tmcs.net
127.0.0.1 ads.tripod.com
127.0.0.1 ads.tucows.com
127.0.0.1 ads.ugo.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.viaarena.com
127.0.0.1 ads.videoaxs.com
127.0.0.1 ads.vnuemedia.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 ads.webcash.nl
127.0.0.1 ads.wnd.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads-03.tor.focusin.ads.targetnet.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ads1.advance.net
127.0.0.1 ads1.condenet.com
127.0.0.1 ads1.intelliads.com
127.0.0.1 ads1.sptimes.com
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.bpath.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.advance.net
127.0.0.1 ads2.clearchannel.com
127.0.0.1 ads2.condenet.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.advance.net
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads4.advance.net
127.0.0.1 ads4.clearchannel.com
127.0.0.1 ads4.condenet.com
127.0.0.1 ads5.advance.net
127.0.0.1 ads5.canoe.ca
127.0.0.1 ads5.gamecity.net
127.0.0.1 ads7.advance.net
127.0.0.1 ads7.udc.advance.net
127.0.0.1 ads-b.focalink.com
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver.ads360.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 adserver.bizland-inc.net
127.0.0.1 adserver.colleges.com
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.hispavista.com
127.0.0.1 adserver.ign.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.matchcraft.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.netcast.nl
127.0.0.1 adserver.news.com.au
127.0.0.1 adserver.nydailynews.com
127.0.0.1 adserver.phillyburbs.com
127.0.0.1 adserver.pollstar.com
127.0.0.1 adserver.securityfocus.com
127.0.0.1 adserver.snowball.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver.trb.com
127.0.0.1 adserver.tribuneinteractive.com
127.0.0.1 adserver.ugo.com
127.0.0.1 adserver.ukplus.co.uk
127.0.0.1 adserver.webads.com
127.0.0.1 adserver.webads.nl
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adserver1.realtracker.com
127.0.0.1 adserver2.realtracker.com
127.0.0.1 adserver3.realtracker.com
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 adsrv.bankrate.com
127.0.0.1 adsrv.iol.co.za
127.0.0.1 adsrv2.gainesvillesun.com
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 adtegrity.thruport.com
127.0.0.1 adthru.com
127.0.0.1 ad-up.com
127.0.0.1 adverity.adverity.com
127.0.0.1 advert.bayarea.com
127.0.0.1 advert.heise.de
127.0.0.1 affiliate.doteasy.com
127.0.0.1 akaads-abc.starwave.com
127.0.0.1 altfarm.mediaplex.com
127.0.0.1 amch.questionmarket.com
127.0.0.1 amedia.techies.com
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 arc1.msn.com
127.0.0.1 arc2.msn.com
127.0.0.1 arc3.msn.com
127.0.0.1 arc4.msn.com
127.0.0.1 arc5.msn.com
127.0.0.1 askmen.thruport.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.adlink.de
127.0.0.1 banner.coza.com
127.0.0.1 banner.easyspace.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.northsky.com
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banner.rootsweb.com
127.0.0.1 banner1.adlink.de
127.0.0.1 bannerads.anytimenews.com
127.0.0.1 banners.adultfriendfinder.com
127.0.0.1 banners.affiliatefuel.com
127.0.0.1 banners.babylon-x.com
127.0.0.1 banners.chek.com
127.0.0.1 banners.easydns.com
127.0.0.1 banners.friendfinder.com
127.0.0.1 banners.internetextra.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.moviegoods.com
127.0.0.1 banners.nextcard.com
127.0.0.1 banners.revenuelink.com
127.0.0.1 banners.valuead.com
127.0.0.1 banners.wunderground.com
127.0.0.1 bannerswap.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bidclix.net
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c1.zedo.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 ca.fp.sandpiper.net
127.0.0.1 califia.imaginemedia.com
127.0.0.1 campaigns.f2.com.au
127.0.0.1 cb.icq.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 cf.icq.com
127.0.0.1 cgi.declicnet.com
127.0.0.1 classic.adlink.de
127.0.0.1 click.adlink.de
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 click.mp3.com
127.0.0.1 clickit.go2net.com
127.0.0.1 clickserve.cc-dt.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 comtrack.comclick.com
127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 coreg.flashtrack.net
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 creative.whi.co.nz
127.0.0.1 crux.songline.com
127.0.0.1 delivery1.ads.telegraaf.nl
127.0.0.1 desktop.kazaa.com
127.0.0.1 di.image.eshop.msn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 direct.adlink.de
127.0.0.1 doubleclick.net
127.0.0.1 ds.eyeblaster.com
127.0.0.1 ehg-bestbuy.hitbox.com
127.0.0.1 ehg-dig.hitbox.com
127.0.0.1 ehg-espn.hitbox.com
127.0.0.1 ehg-intel.hitbox.com
127.0.0.1 ehg-macromedia.hitbox.com
127.0.0.1 engage.speedera.net
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 eur.yimg.com
127.0.0.1 fl01.ct2.comclick.com
127.0.0.1 focusin.ads.targetnet.com
127.0.0.1 fp.valueclick.com
127.0.0.1 ftp.nacorp.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 garden.ngadcenter.net
127.0.0.1 geoads.osdn.com
127.0.0.1 global.msads.net
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 holland.hyperbanner.net
127.0.0.1 hurricane.adlink.de
127.0.0.1 i.timeinc.net
127.0.0.1 icover.realmedia.com
127.0.0.1 ieee-images.adbureau.net
127.0.0.1 im.800.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 image.imgfarm.com
127.0.0.1 images.ads.fairfax.com.au
127.0.0.1 images.bizrate.com
127.0.0.1 images.cybereps.com
127.0.0.1 images.fastclick.net
127.0.0.1 images.newsx.cc
127.0.0.1 images.scripps.com
127.0.0.1 images.trafficmp.com
127.0.0.1 images.webads.nl
127.0.0.1 images2.nytimes.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 img.cmpnet.com
127.0.0.1 information.gopher.com
127.0.0.1 iv.doubleclick.net
127.0.0.1 java.yahoo.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 js1.hitbox.com
127.0.0.1 k5ads.osdn.com
127.0.0.1 kansas.valueclick.com
127.0.0.1 kaplanindex.com
127.0.0.1 kr-adimage.lycos.co.kr
127.0.0.1 krd.realcities.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 m.tribalfusion.com
127.0.0.1 m2.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 marketing.nyi.net
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 mds.centrport.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 media.preferences.com
127.0.0.1 media13.fastclick.net
127.0.0.1 media15.fastclick.net
127.0.0.1 media17.fastclick.net
127.0.0.1 media19.fastclick.net
127.0.0.1 mediamgr.ugo.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mjxads.internet.com
127.0.0.1 mojofarm.mediaplex.com
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 mt37.mtree.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 neighborhood.standard.net
127.0.0.1 netcomm.spinbox.net
127.0.0.1 netshelter.adtrix.com
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nrsite.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 oas.dispatch.com
127.0.0.1 oas.lee.net
127.0.0.1 oas.mmd.ch
127.0.0.1 oas.uniontrib.com
127.0.0.1 oas.villagevoice.com
127.0.0.1 oasads.whitepages.com
127.0.0.1 ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad06.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 ph-ad19.focalink.com
127.0.0.1 ph-ad21.focalink.com
127.0.0.1 phoenix-adrunner.mycomputer.com
127.0.0.1 phpads2.cnpapers.com
127.0.0.1 pluto1.iserver.net
127.0.0.1 primetime.ad.asap-asp.net
127.0.0.1 pub-g.ifrance.com
127.0.0.1 pubs.mgn.net #french
127.0.0.1 q.pni.com
127.0.0.1 rad.msn.com
127.0.0.1 rd1.hitbox.com
127.0.0.1 realads.realmedia.com
127.0.0.1 realmedia-a800.d4p.net
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 regio.adlink.de
127.0.0.1 reply.mediatris.net
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 rmads.msn.com
127.0.0.1 rmedia.boston.com
127.0.0.1 s0b.bluestreak.com
127.0.0.1 s2.focalink.com
127.0.0.1 sc.clicksupply.com
127.0.0.1 scand.adlink.de
127.0.0.1 secure.webconnect.net
127.0.0.1 servads.aip.org
127.0.0.1 serve.thisbanner.com
127.0.0.1 servedby.advertising.com
127.0.0.1 service.bfast.com
127.0.0.1 sfads.osdn.com
127.0.0.1 sg.yimg.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 shop.kazaa.com
127.0.0.1 speed.pointroll.com
127.0.0.1 spin.spinbox.net
127.0.0.1 spinbox.maccentral.com
127.0.0.1 spinbox.techtracker.com
127.0.0.1 ss.mtree.com
127.0.0.1 static.admaximize.com
127.0.0.1 stats.adultrevenueservice.com
127.0.0.1 stats.superstats.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 sview.avenuea.com
127.0.0.1 techreview-images.adbureau.net
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 ti.click2net.com
127.0.0.1 tmsads.tribune.com
127.0.0.1 toads.osdn.com
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 us.a1.yimg.com
127.0.0.1 usbytecom.orbitcycle.com
127.0.0.1 utils.mediageneral.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.atdmt.com
127.0.0.1 view.avenuea.com
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 vpdc.ru4.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 wap.adlink.de
127.0.0.1 web2.deja.com
127.0.0.1 webad.ajeeb.com
127.0.0.1 webads.bizservers.com
127.0.0.1 webaffiliate.covad.com
127.0.0.1 west.adlink.de
127.0.0.1 wwa.hitbox.com
127.0.0.1 wwb.hitbox.com
127.0.0.1 www.24pm-affiliation.com
127.0.0.1 www.ad.tomshardware.com
127.0.0.1 www.ad4ex.com
127.0.0.1 www.ad-flow.com
127.0.0.1 www.adireland.com
127.0.0.1 www.admex.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.avsads.com
127.0.0.1 www.b3d.com
127.0.0.1 www.banner2u.com
127.0.0.1 www.bannercampaign.com
127.0.0.1 www.banneroverdrive.com
127.0.0.1 www.blissnet.net
127.0.0.1 www.bonzi.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.cibleclick.com
127.0.0.1 www.click-fr.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.consumerinfo.com
127.0.0.1 www.crisscross.com
127.0.0.1 www.cyberbounty.com
127.0.0.1 www.datais.com
127.0.0.1 www.digitalbettingcasinos.com
127.0.0.1 www.dnps.com
127.0.0.1 www.doubleclick.net
127.0.0.1 www.eads.com
127.0.0.1 www.exchange-it.com
127.0.0.1 www.fineclicks.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.kaplanindex.com
127.0.0.1 www.linksynergy.com
127.0.0.1 www.nailitonline2.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.netflip.com
127.0.0.1 www.netsponsors.com
127.0.0.1 www.netvertising.be
127.0.0.1 www.nrsite.com
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.onresponse.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.qksrv.net
127.0.0.1 www.speedyclick.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.webads.nl
127.0.0.1 www.websitefinancing.com
127.0.0.1 www10.valueclick.com
127.0.0.1 www15.ad.tomshardware.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www2.newtopsites.com
127.0.0.1 www23.valueclick.com
127.0.0.1 www3.ad.tomshardware.com
127.0.0.1 www3.bannerspace.com
127.0.0.1 www3.pagecount.com
127.0.0.1 www4.ad.tomshardware.com
127.0.0.1 www4.trix.net
127.0.0.1 www6.ad.tomshardware.com
127.0.0.1 www75.valueclick.com
127.0.0.1 www8.ad.tomshardware.com
127.0.0.1 www80.valueclick.com
127.0.0.1 y.ibsys.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.adserver.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 zi.r.tv.com
127.0.0.1 zrap.zdnet.com.com
127.0.0.1 as.casalemedia.com

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6BD147E5-DF8C-43FA-9684-A235640B0544}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6BD147E5-DF8C-43FA-9684-A235640B0544}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6BD147E5-DF8C-43FA-9684-A235640B0544}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

and my new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:37 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\PlayhouseDisneyDownloadManager.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINNT\twain_32\ScanWiz5\SDII.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Documents and Settings\Administrator\My Documents\AJ\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.excite.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundsc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundsc.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\nxc008m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\nxc008m5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Bho - {3F96A687-6137-4ab4-887C-6E51BCC020B9} - C:\WINNT\system32\kapyfqxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CDE8EAB9-CEF3-4885-B12F-26960A25C800} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PlayhouseDisneyDownloadManager] C:\Program Files\DIGStream\PlayhouseDisneyDownloadManager.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINNT\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.excite.com
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - https://vmodlms.widerthanam.com/component/VZWDLManager.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Documents and Settings\Administrator\My Documents\AJ\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 9645 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 20 July 2007 - 09:16 PM

Hi walkera36,

I asked you to download and run SmitfruadFix and you ran an old version that you had on your computer. :thumbsup:

The new version is 2.205 and you ran
SmitFraudFix v2.195, so it has been updated 10 times since you last downloaded it.

This SmitfruadFix is updated frequently, so it is a bad idea to leave it on your computer.

Please delete it, then go back to my previous post where I asked you to download it, and download a fresh version and run it according to my instructions.
Then post the SmitfruadFix log and a fresh Hijackthis log.

Edited by SifuMike, 20 July 2007 - 09:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:08 PM

Posted 28 July 2007 - 09:21 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users