Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plz Help Gold Codec Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 shalinick2006

shalinick2006

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 04:19 AM

Hello,

I read your tutorial and have run hijackthis. the log is attached below. Kindly help ASAP:

LOG
******
Logfile of HijackThis v1.99.1
Scan saved at 09:52:36 AM, on 2006/11/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gold Codec\isamonitor.exe
C:\Programme\Gold Codec\pmsngr.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programme\VVSN\VVSN.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\SealedMedia\sealmon.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Gold Codec\pmmon.exe
C:\Programme\Gold Codec\isamini.exe
C:\Programme\Nikon\PictureProject\NkbMonitor.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programme\FRITZ!DSL\StCenter.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\HPQ\SHARED\HPQWMI.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5SKXSHH\noadware[1].exe
C:\DOKUME~1\BEJOYC~1\LOKALE~1\Temp\is-17V6U.tmp\is-39JSM.tmp
C:\Programme\NoAdware4\NoAdware4.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\BEJOYC~1\LOKALE~1\Temp\Rar$EX01.141\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Programme\Gold Codec\isaddon.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Programme\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programme\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programme\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VVSN] C:\Programme\VVSN\VVSN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sealmon] C:\Programme\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programme\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Programme\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141452882296
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB14023E-D2BF-45CE-951D-AB8A07525688}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - C:\WINDOWS\system32\dcvwaah.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programme\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe

********
End LOG

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 07:52 AM

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Please do not run any other options until you are asked to do so.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 09:18 AM

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Please do not run any other options until you are asked to do so.



#4 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 09:24 AM

Hi,
Thanx a ton for ur quick response. Here is the txt u wanted me to provide. Awaiiiiiiiiiiiiting ur next response pls.
Only fyi, i had removed from software, the GOLD CODEC. Now it is not listed there under software, but the folder exists under C\programme\ and i am unable to delete that. Besides, I am getting a porn pop-up from adultfriendfinder and two small icon on my taxk bar, once saying system alert:Trojan-Spy.Win32@mx and another saying critical system error. Also, whenever I invoke IE, it goes to yourieprotect.com.
pls. help. Its an SOS now. I need to prepare somethihng for work tom.
thanx a ton !!!
**********************
RAPPORT.TXT
**********************
SmitFraudFix v2.124

Scan done at 15:11:40.00, 2006/11/26
Run from C:\Dokumente und Einstellungen\Bejoy Chakraborty\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bejoy Chakraborty


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bejoy Chakraborty\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\BEJOYC~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme

C:\Programme\Gold Codec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{40dcff6e-af8d-4183-8ebe-a82270ac449e}"="gimmicks"

[HKEY_CLASSES_ROOT\CLSID\{40dcff6e-af8d-4183-8ebe-a82270ac449e}\InProcServer32]
@="C:\WINDOWS\system32\dcvwaah.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{40dcff6e-af8d-4183-8ebe-a82270ac449e}\InProcServer32]
@="C:\WINDOWS\system32\dcvwaah.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 09:44 AM

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Please post the new rapport.txt log along with a new HijackThis Log in your next reply. Also do this - download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with the other logs.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#6 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 10:18 AM

Thanx again for ur quick response.
I tried through several ways to log into SAFE MODE. However, the machine does not boot into safe mode. What shall I do? Shall I execute the .cmd u suggested, in Normal mode?
Thanx in advance for ur kind response.
with regards

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 10:37 AM

I don't understand why Safe Mode is not available to you. Run the SuperAntiSpyware part of the fix then try it again.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 10:40 AM

OK. I am skipping the process of smitfraudfix.cmd and running the SuperAntiSpyware and revert back in a few mins. thanx.

#9 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 11:32 AM

Hello again,

1. I ran the SuperAntiSpyware and the results look good. At least those frustating two icons from the tasklist are gone.
2. The home page when i dbl click the IE does NOT go to yourieprotector.com
3. The folder GOLD CODECS exists in C\program\ with two files ot.ico and ts.ico are existing. Shd i delete these and then the folder also?
4. I ran the SmitfraudFix and here is the RAPPORT.TXT for ur comment:
5. I also ran HijackThis and the log is appended below:

KINDLY let me know if any further actions are required on my side !!

I am at a loss of words to thank you enough for ur kind help !!!

Log HijackThis
************

Logfile of HijackThis v1.99.1
Scan saved at 05:20:09 PM, on 2006/11/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Java\jre1.5.0_09\bin\jusched.exe
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Programme\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\SealedMedia\sealmon.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Nikon\PictureProject\NkbMonitor.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\Programme\FRITZ!DSL\StCenter.EXE
C:\Programme\HPQ\SHARED\HPQWMI.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\BEJOYC~1\LOKALE~1\Temp\Rar$EX00.156\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Programme\Gold Codec\isaddon.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Programme\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programme\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programme\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sealmon] C:\Programme\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programme\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Programme\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141452882296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB14023E-D2BF-45CE-951D-AB8A07525688}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programme\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe

*****************
end of log HIjackthis
****************
Start RAPPORT.TXT
******************
SmitFraudFix v2.124

Scan done at 17:19:03.68, 2006/11/26
Run from C:\Dokumente und Einstellungen\Bejoy Chakraborty\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bejoy Chakraborty


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bejoy Chakraborty\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\BEJOYC~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme

C:\Programme\Gold Codec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{40dcff6e-af8d-4183-8ebe-a82270ac449e}"="gimmicks"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 12:24 PM

Could you post the SUPERAntiSpyware Scan Log and we will clean up the remnants.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 01:02 PM

Hello,
Extremely Sorry for the delayed response:
I was running the SUPER Antispyware (the last time, by mistake I did not do the chekcings and uncheckings. Hence ran it just now once again for all the files. I am appending both the logs in succession:
Thank you dear !!!
Log 1
*****
SUPERAntiSpyware Scan Log
Generated 11/26/2006 at 05:11 PM

Application Version : 3.3.1020

Core Rules Database Version : 3135
Trace Rules Database Version: 1152

Scan type : Complete Scan
Total Scan Time : 00:26:40

Memory items scanned : 441
Memory threats detected : 5
Registry items scanned : 5726
Registry threats detected : 27
File items scanned : 28340
File threats detected : 47

Trojan.Media-Codec
C:\PROGRAMME\GOLD CODEC\ISAMONITOR.EXE
C:\PROGRAMME\GOLD CODEC\ISAMONITOR.EXE
C:\PROGRAMME\GOLD CODEC\PMSNGR.EXE
C:\PROGRAMME\GOLD CODEC\PMSNGR.EXE
C:\PROGRAMME\GOLD CODEC\PMMON.EXE
C:\PROGRAMME\GOLD CODEC\PMMON.EXE
C:\PROGRAMME\GOLD CODEC\ISAMINI.EXE
C:\PROGRAMME\GOLD CODEC\ISAMINI.EXE
HKU\S-1-5-21-3280782842-2550572211-2947387931-1006\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#isamonitor.exe [ C:\Programme\Gold Codec\isamonitor.exe ]
C:\PROGRAMME\GOLD CODEC\IESUNINST.EXE
C:\PROGRAMME\GOLD CODEC\ISADDON.DLL
C:\PROGRAMME\GOLD CODEC\ISAUNINST.EXE
C:\PROGRAMME\GOLD CODEC\PMUNINST.EXE
C:\WINDOWS\Prefetch\ISAMONITOR.EXE-1631AF77.pf
C:\WINDOWS\Prefetch\PMSNGR.EXE-0CF5DE5D.pf

Adware.WhenU
C:\PROGRAMME\VVSN\VVSN.EXE
C:\PROGRAMME\VVSN\VVSN.EXE
[VVSN] C:\PROGRAMME\VVSN\VVSN.EXE

Adware.Tracking Cookie
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@doubleclick[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@weborama[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@go.winantivirus[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@ads.ft[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@ads.advancedpcmedia[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@winantivirus[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@c1[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@stats.drivecleaner[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@www.drivecleaner[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@clickbank[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@tribalfusion[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@revsci[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@go.drivecleaner[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@www.winantivirus[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@www.smartadserver[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@cgi-bin[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@cgi-bin[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@burstnet[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@1070922802[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@c2[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@90594700[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@statse.webtrendslive[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@drivecleaner[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@statcounter[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@mediavantage[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@www.burstnet[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@tacoda[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@1070754780[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@2o7[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@komtrack[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@spylog[2].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@mediaplex[1].txt
C:\Dokumente und Einstellungen\Bejoy Chakraborty\Cookies\bejoy chakraborty@server.iad.liveperson[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}\InProcServer32
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}\InProcServer32#ThreadingModel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{62440FC9-BC48-44B8-B4DB-C0AEF4DF6FCF}\RP175\A0045778.DLL
C:\WINDOWS\SYSTEM32\DCVWAAH.DLL.BAD

Malware.VirusBurst
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\dbgyjxVlnqnk
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\hhoPGxsrjpf
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InprocServer32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InprocServer32#ThreadingModel
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InprocServer32\1.1.4322
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InprocServer32\1.1.4322#ImplementedInThisVersion
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\jTbmgNcw
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\KEpPqFiqahq
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Nwddgod
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\ProgID
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Server
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\vUpbne
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\YbGyuAvvtu
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#pmsngr.exe [ C:\Programme\Gold Codec\pmsngr.exe ]

Malware.VirusBurster-Install
C:\SYSTEM VOLUME INFORMATION\_RESTORE{62440FC9-BC48-44B8-B4DB-C0AEF4DF6FCF}\RP174\A0045753.EXE
********************++
Log 2
***********+
SUPERAntiSpyware Scan Log
Generated 11/26/2006 at 06:49 PM

Application Version : 3.3.1020

Core Rules Database Version : 3135
Trace Rules Database Version: 1152

Scan type : Complete Scan
Total Scan Time : 01:15:23

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 5739
Registry threats detected : 2
File items scanned : 62478
File threats detected : 3

Malware.VirusBurst
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#pmsngr.exe [ C:\Programme\Gold Codec\pmsngr.exe ]

Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#isamonitor.exe [ C:\Programme\Gold Codec\isamonitor.exe ]

Trojan.Unknown Origin
C:\PROGRAMME\GOLD CODEC\OT.ICO
C:\PROGRAMME\GOLD CODEC\TS.ICO

Adware.WhenU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{62440FC9-BC48-44B8-B4DB-C0AEF4DF6FCF}\RP176\A0045846.EXE
****************
End of log

#12 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 01:57 PM

No problem :thumbsup:

HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Programme\Gold Codec\isaddon.dll (file missing)
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)


Exit HijackThis when done. Delete the Gold Coldec folder and it's contents. Reboot, rescan with HijackThis and post a final log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#13 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 26 November 2006 - 02:12 PM

Gr8. Thank you so much for ur timely help. Meanwhile I was chatting with my online support for not being able to log in safe mode. now, i have the solution to log in safe mode. and will try that also. Additionally, i will also execute the Smitfraudfix.cmd with option 2. and send u the logs.
The time at ur place shows 12:27 AM as the time of last response !!
I am so very thankful to ur support. May God always be with you...

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:27 PM

Posted 26 November 2006 - 02:22 PM

You're welcome - glad to help :thumbsup:

It's not that late here - I must have my profile set up wrong. Anyway post the Smitfraudfix log and a fresh HJT log - we are almost done with this.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#15 shalinick2006

shalinick2006
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 27 November 2006 - 02:32 AM

sorry for the delayed response. actually my technician suggested me for logging in safe mode thro the msconfig->boot.ini root. and now the system is not booting at all. i am writing from my office PC now
just dont know what to do now
thanx dear




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users