Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • Please log in to reply
3 replies to this topic

#1 booker716

booker716

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buffalo,ny USA
  • Local time:10:55 AM

Posted 27 November 2007 - 03:47 AM

this is results of scan that WATERFALL had me do




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:34 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows

Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast Virus Program\aswUpdSv.exe
C:\Avast Virus Program\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\AVASTV~1\ashDisp.exe
C:\ZONE ALARM\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Macromed\Shockwave

10\PostUpdate.exe
C:\AVG 7.1\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Avast Virus Program\ashMaiSv.exe
C:\Avast Virus Program\ashWebSv.exe
C:\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = BlueFrog.Biz - The

Best Internet!
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
N4 - Mozilla:

user_pref("browser.startup.homepage",

"http://www.dogpile.com"); (C:\Documents and

Settings\CHETTER\Application

Data\Mozilla\Profiles\default\DL7EA87E.SLT\pref

s.js)
N4 - Mozilla:

user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetsca

pe%5CNetscape%5Csearchplugins%5CSBWeb_0

6.src"); (C:\Documents and

Settings\CHETTER\Application

Data\Mozilla\Profiles\default\DL7EA87E.SLT\pref

s.js)
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper -

{22D8E815-4A5E-4DFB-845E-AAB64207F5BD} -

C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\SPYBOT\SpyBot1.3\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164

\swg.dll
O2 - BHO: MSVPS System -

{CFF8726A-9262-441C-8163-C6371E9EDE47} -

C:\WINDOWS\advrepnok.dll
O3 - Toolbar: Easy-WebPrint -

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar -

{92085AD4-F48A-450D-BD93-B28CC7DF67CE} -

C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The sdrmod -

{16A0662E-AC21-4AD9-89E8-7495AC5ACE93} -

C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [avast!]

C:\AVASTV~1\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZONE

ALARM\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SWHelper]

"C:\WINDOWS\system32\Macromed\Shockwave

10\PostUpdate.exe" 1013018
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig

20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:

[DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig

20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Download with

&DAP - dapextie.htm
O8 - Extra context menu item: &eBay Search -

res://C:\Program Files\eBay\eBay

Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo!

&Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU -

{d9288080-1baa-4bc4-9cf8-a92d743db949} -

C:\Documents and Settings\PAULETTE\Start

Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229

- http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF:

{01FE8D0A-51AD-459B-B62B-85E135128B32}

(DD_v4.DDv4) -

http://www.drivershq.com/DD_v4.CAB
O16 - DPF:

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}

(QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/20061023/qt

install.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF:

{0E5F0222-96B9-11D3-8997-00104BD12D94}

(sys Class) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.C

AB
O16 - DPF:

{11260943-421B-11D0-8EAC-0000C07D88CF}

(iPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF:

{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}

(MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/trickle

rs/AWS/MiniBugTransporter.cab?
O16 - DPF:

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedCont

ent/vc/bin/AvSniff.cab
O16 - DPF:

{2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5}

(Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/odc.c

ab
O16 - DPF:

{2FC9A21E-2069-4E47-8235-36318989DB13}

(PPSDKActiveXScanner.MainScreen) -

http://www.pestscan.com/scanner/axscanner.ca

b
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF:

{41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20031216/qt

install.info.apple.com/mickey/us/win/QuickTimeI

nstaller.exe
O16 - DPF:

{4E330863-6A11-11D0-BFD8-006097237877}

(InstallFromTheWeb ActiveX Control) -

http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF:

{62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/20031216/qt

install.info.apple.com/mickey/us/win/QuickTimeI

nstaller.exe
O16 - DPF:

{644E432F-49D3-41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedCont

ent/common/bin/cabsa.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/

V5Controls/en/x86/client/muweb_site.cab?11372

23269593
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/

housecall.trendmicro.com/housecall/xscan53.ca

b
O16 - DPF:

{9732FB42-C321-11D1-836F-00A0C993F125}

(mhLabel Class) -

http://www.pcpitstop.com/mhLbl.cab
O16 - DPF:

{99802379-7362-40E2-9D28-8A3B9AF880B7} -

http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF:

{9AA73F41-EC64-489E-9A73-9CD52E528BC4}

(ZoneAxRcMgr Class) -

http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.ca

b32846.cab
O16 - DPF:

{C606BA60-AB76-48B6-96A7-2C4D5C386F70}

(PreQualifier Class) -

http://www.verizon.net/checkmypc/includes/Moti

vePreQual.cab
O16 - DPF:

{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.0_01) -
O16 - DPF:

{CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF}

(Live365Player Class) -

http://www.live365.com/players/play365.cab
O16 - DPF:

{D06A22B4-6087-4D3D-B7AF-82B113E9ABD4}

(CPostLaunch Object) -

http://www2.verizon.net/update/msnwebinstall/in

cludes/vzWebIns.CAB
O16 - DPF:

{E5D419D6-A846-4514-9FAD-97E826C84822}

(HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF:

{E8F628B5-259A-4734-97EE-BA914D7BE941}

(Driver Agent ActiveX Control) -

http://driveragent.com/files/driveragent.cab
O16 - DPF:

{F00F4763-7355-4725-82F7-0DA94A256D46}

(IncrediMail) -

http://www5.incredimail.com/contents/setup/dow

nloader_sp1/imloader.cab
O16 - DPF:

{FE5B9F54-7764-4C01-89F0-4862601EE954}

(DigWebHelper Class) -

http://photos.msn.com/resources/neutral/control

s/DigWebX2.cab?10,0,910,0
O17 -

HKLM\System\CCS\Services\Tcpip\..\{0E798DFF-

B1CE-4485-930F-812CED0A5C8F}: NameServer =

68.237.161.12 71.250.0.12
O20 - Winlogon Notify: !SASWinLogon -

C:\temp\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service

(aswUpdSv) - ALWIL Software - C:\Avast Virus

Program\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software

- C:\Avast Virus Program\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL

Software - C:\Avast Virus Program\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL

Software - C:\Avast Virus

Program\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard -

GRISOFT s.r.o. - C:\AVG 7.1\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: Bonjour Service - Apple

Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic

Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON

CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) -

Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor

(vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) -

http://central.terminal.railfan.net/pics/submit/buf

_nyc_deco.jpg
O24 - Desktop Component 1: Privacy Protection

- file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 11311 bytes

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/27/2007 at 02:36 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Custom Scan
Total Scan Time : 01:30:18

Memory items scanned : 187
Memory threats detected : 0
Registry items scanned : 7036
Registry threats detected : 0
File items scanned : 62650
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\CHETTER\Cookies\chetter@richmedia.yahoo[1].txt
C:\Documents and Settings\CHETTER\Cookies\chetter@precisionclick[1].txt
C:\Documents and Settings\CHETTER\Cookies\chetter@ads.gametap[1].txt
C:\Documents and Settings\CHETTER\Cookies\chetter@smileycentral[1].txt


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


SmitFraudFix v2.248

Scan done at 0:45:31.37, Tue 11/27/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 05 December 2007 - 01:46 AM

Hi -

I read your PM a few minutes ago. The problem is that, after your original thread was locked because of a lack of response after three days, you began a new thread three days after that. I would have no knowledge of your new thread unless I was contacted by PM.

Anyway, now that we seem to be in sync again and since your HijackThis log here is a week old, please post a new HijackThis log.
Note: After running HijackThis and the log opens, while you're still in Notepad, click Format, and then click Word Wrap. Then, copy and paste the log in your reply. This way, your log will be readable.

Also, let me know how your computer is running.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 booker716

booker716
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buffalo,ny USA
  • Local time:10:55 AM

Posted 05 December 2007 - 04:19 AM

first of all thanks for trying to help me

i still can not change image on my desktop.if i right click on a blank space i can not get to propertys.( i know how to get there using my computer)nothing happens.

still have a warning bar at top of screen stating :
Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware...

also get a banner across screen saying something like privacy may be jepordy ect,ect

any ways here are results of scan


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:18 AM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Avast Virus Program\aswUpdSv.exe
C:\Avast Virus Program\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\AVASTV~1\ashDisp.exe
C:\ZONE ALARM\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\AVG 7.1\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Avast Virus Program\ashMaiSv.exe
C:\Avast Virus Program\ashWebSv.exe
C:\MailWasher\MailWasher\MailWasher.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Safari Browser\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BlueFrog.Biz - The Best Internet!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.dogpile.com"); (C:\Documents and Settings\CHETTER\Application Data\Mozilla\Profiles\default\DL7EA87E.SLT\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\CHETTER\Application Data\Mozilla\Profiles\default\DL7EA87E.SLT\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT\SpyBot1.3\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSVPS System - {CFF8726A-9262-441C-8163-C6371E9EDE47} - C:\WINDOWS\advrepnok.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The sdrmod - {16A0662E-AC21-4AD9-89E8-7495AC5ACE93} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\AVASTV~1\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZONE ALARM\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1013018
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - dapextie.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\PAULETTE\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137223269593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...p1/imloader.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E798DFF-B1CE-4485-930F-812CED0A5C8F}: NameServer = 68.237.161.12 71.250.0.12
O20 - Winlogon Notify: !SASWinLogon - C:\temp\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast Virus Program\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast Virus Program\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast Virus Program\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast Virus Program\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG 7.1\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - http://central.terminal.railfan.net/pics/s...uf_nyc_deco.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 11560 bytes

#4 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 05 December 2007 - 10:28 PM

Hi -

You will need to print these instructions because you will be working in Safe Mode without an Internet connection. Make sure to work through all the steps in the exact order in which they are listed below. If there's anything that you do not understand, ask your question(s) before moving on with the fixes.

Update AVG Anti-Spyware.

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Open the SmitfraudFix Folder, then double-click smitfraudfix.exe file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:
  • Close ALL browsers and open windows / programs.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware 7.5, and run a full scan.
  • IMPORTANT: Do not open any other windows or programs while AVG/Ewido is scanning, it may interfere with the scanning proccess.
    Scan with AVG/Ewido Anti-Spyware as follows:
    1. Launch AVG/Ewido Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT!Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG/Ewido Anti-Spyware when done and submit the log report in your next response.
______________________________

Reboot into Normal Mode.

Post back with the C:\rapport.txt; the AVG/Ewido log; and a new HijackThis log
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users