Options

annoying infection. please help

Unknown
edited March 2007 in Spyware & Virus Removal
Hi. I have been having this issue with some type of infection. I have some type of virus running that slows down my computer(mostly the internet). I got it from this program that either i accidently downloaded or it downloaded itself. ITs called SpyLocked. I found a tutorial on help with it but i went through the steps and still no success. I originally uninstalled it which left some scattered files that i deleted and a blinking icon of my task bar. I ran all types of scans and trojan removers and what not and that didnt work. I used smithfraud which did help get rid of the icon off the taskbar. Its seems like all the files associated with the program are gone but apparently not cause its still running way slow. Anyway, i dont know what to try anymore, i dont even know whats left of the program, and none of the removals seem to be working. I appreciate your time and any help you could give me on this issue, thanks.


Logfile of HijackThis v1.99.1
Scan saved at 8:57:45 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.MSN.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [Loader] C:\WINDOWS\System\loader.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Vbuzzer Messenger] C:\Program Files\vbuzzer\VBuzzer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



here is my panda scan


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
Potentially unwanted tool:application/myglobalsearch Not disinfected c:\program files\MyGlobalSearch
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Adware:adware/savenow Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ag\Cookies\ag@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ag\Cookies\ag@doubleclick[1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\ag\Desktop\Cliprexdsfree.exe[mgsSetp.ClipRex.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\ag\Desktop\Cliprexdsfree.exe[Cliprex_WhenUSave_InstallerInst.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ag\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ag\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyGlobalSearch\bar\1.bin\M9PLUGIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


Please help, thanks.

Comments

  • EtzoEtzo Finland
    edited March 2007
    Hi! I'll check your log. Please be patient.
  • EtzoEtzo Finland
    edited March 2007
    Hi !

    I don't see any firewall on your computer? You can download one from here

    Moving on...

    Do you want to keep your ViewMng ?

    According to castlescops: it's not very good program. http://www.castlecops.com/s4102-ViewMgr.html

    * Click Start
    * Click Control Panel
    * Double-click Add or Remove Program
    * Find and remove this program if found:

    My Global Search ,MyWebSearch or
    MyWay

    ---

    Print out these instructions or save them with notepad or Word

    Please do the following:
    * Start AVG Anti-Spyware
    * Click the Update icon
    * Click Start update

    * Wait until updates are downloaded
    * Click the Scanner icon
    * Open the Settings tab

    o Make sure that under 'How to act?' read Quarantine (If not, click the text and choose Quarantine)

    o Under 'How to scan?' all checkboxes should be ticked
    o
    Under 'Reports' select Automatically generate report after every scan and uncheck Only if threats were found
    o Under 'What to scan?' select Scan every file
    *Click the Shield icon
    * Under the 'Resident shield is' click active to make it inactive
    * Close AVG Anti-Spyware

    =========================================

    Please, Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Desktop.

    A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press Enter

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

    IMPORTANT: Do NOT run any other options until you are asked to do so!

    Please send rapport.txt and fresh HijackThis log

    =========================================
    Reboot to safemode
    * If the computer is running, shut down Windows, and then turn off the power
    * Wait 30 seconds, and then turn the computer on
    * Start tapping the F8 key
    * The Windows Advanced Options Menu appears
    * Ensure that the Safe Mode option is selected
    * Press Enter. The computer then begins to start in Safe mode
    * Login on your usual account

    In Safemode:

    Find and Remove these: (if found)

    C:\Program Files\MyGlobalSearch <--- FOLDER
    C:\WINDOWS\System\loader.exe

    =========================================
    * Close all open windows / programs / folders
    * Start AVG Anti-Spyware
    * Click the Scanner icon
    * Click Complete System Scan
    * Let the program scan the machine
    * When the scan has finished, follow the instructions below
    o Make sure that under 'Set all elements to' read Quarantine (If not, click the text and choose Quarantine)
    o Click Apply all actions
    o Click Save Report
    o Click Save reports as
    o Save report to your Desktop

    Restart your computer back to normalmode.

    =========================================

    Open HijackThis, press Do a System scan only, check these lines: (if found)

    O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Loader] C:\WINDOWS\System\loader.exe

    And press Fix Checked

    Please send fresh HijackThis log, C:/rapport.txt and AVG Anti-Spyware report to your next reply.
  • mank
    edited March 2007
    Hi Etzo,

    Thanks so much for your help. I appreciate it. Ya i guess i should get a real firewall i thought i was using the windows firewall but i guess that doesnt count. Anyway, thanks for the great instructions. I did everything you told me to. Only thing is i think there is stiill something on my computer. I can play video games and everything with low ping , but it seems to be slow only when i download from the internet or load pages. I almost feel like im hallucinating it now but i remember my computer being much fast at these things before this. Anyway, here are the reports you asked for. Im not sure if we made any progress or what, but it definately found and removed some of those files we were looking for.


    Logfile of HijackThis v1.99.1
    Scan saved at 4:44:18 PM, on 3/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.MSN.ca
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Vbuzzer Messenger] C:\Program Files\vbuzzer\VBuzzer.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe




    rapport.txt
    SmitFraudFix v2.152

    Scan done at 13:19:49.34, Thu 03/22/2007
    Run from C:\Documents and Settings\ag\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ag


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ag\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ag\FAVORI~1

    C:\DOCUME~1\ag\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End


    avg
    AVG Anti-Spyware - Scan Report

    + Created at: 4:18:58 PM 3/22/2007

    + Scan result:



    HKU\S-1-5-21-606747145-113007714-725345543-1003\Software\Internet Security -> Adware.IntCodec : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP255\A0089805.ini -> Adware.Qworke : No action taken.
    HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : No action taken.
    C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\Cache\633285D9d01/SmitfraudFix/SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
    C:\Documents and Settings\ag\Desktop\SmitfraudFix.zip/SmitfraudFix/SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
    C:\Documents and Settings\ag\Desktop\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
    C:\Documents and Settings\ag\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP257\A0092050.exe -> Adware.SmiUpdate : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP256\A0091852.exe -> Adware.SpyLocked : No action taken.
    C:\Documents and Settings\ag\Cookies\ag@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.91:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
    :mozilla.92:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
    :mozilla.25:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
    :mozilla.34:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    C:\Documents and Settings\ag\Cookies\ag@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.29:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.30:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.31:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.32:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.33:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.52:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.53:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.54:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.51:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
    :mozilla.65:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
    :mozilla.23:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.24:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\ag\Cookies\ag@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
    :mozilla.80:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
    :mozilla.113:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP256\A0091966.dll -> Trojan.Renos.nar : No action taken.


    ::Report end



    Well im not sure what to do next, maybe its one of those that you cant get rid of. Either way, let me know. I appreciate your help. Thanks.
  • EtzoEtzo Finland
    edited March 2007
    OK.
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
    Next, please reboot your computer in Safe Mode by doing the following :
    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    * Select the first option, to run Windows in Safe Mode, then press "Enter".
    * Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process.
    A text file will appear onscreen, with results from the cleaning process.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt
    Warning : running option #2 on a non infected computer will remove your Desktop background.

    >>>

    Keep your computer in safemode!

    Scan again with AVG, but read these instructions carefully:

    Before Scanning:
    Make sure that under 'How to act?' read Quarantine (If not, click the text and choose Quarantine)

    And after Scanning:
    Make sure that under 'Set all elements to' read Quarantine (If not, click the text and choose Quarantine)

    After AVG scan, reboot to normal mode and post fresh HJT log, C:/rapport.txt and new AVG raport :)
  • mank
    edited March 2007
    Hey Etzo,
    Thanks for the help. It still however is running slow. Here are the new reports.


    Logfile of HijackThis v1.99.1
    Scan saved at 6:13:40 PM, on 3/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Vbuzzer Messenger] C:\Program Files\vbuzzer\VBuzzer.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    AVG Anti-Spyware - Scan Report

    + Created at: 6:08:13 PM 3/23/2007

    + Scan result:



    C:\Documents and Settings\ag\Desktop\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP257\A0092067.exe -> Adware.SmiUpdate : No action taken.
    C:\System Volume Information\_restore{727806FC-8C9C-4EA0-8A20-2B184B6AB56A}\RP257\A0092068.exe -> Adware.SmiUpdate : No action taken.
    C:\Documents and Settings\ag\Cookies\ag@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.30:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
    :mozilla.32:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.61:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.62:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.63:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.64:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.41:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
    :mozilla.67:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Overture : No action taken.
    :mozilla.28:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.29:C:\Documents and Settings\ag\Application Data\Mozilla\Firefox\Profiles\qtl6gkm8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.


    ::Report end


    mitFraudFix v2.152

    Scan done at 15:24:43.70, Fri 03/23/2007
    Run from C:\Documents and Settings\ag\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\ag\FAVORI~1\Online Security Test.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • EtzoEtzo Finland
    edited March 2007
    Your logfile is clean.

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
    This program is for XP and Windows 2000 only!

    Double-click ATF Cleaner.exe to open it.

    Under Main select the following:

    * Windows Temp
    * Current User Temp
    * All Users Temp
    * Temporary Internet Files
    * Prefetch
    * Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    =========================================

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:

    * Download the latest version of Java Runtime Environment (JRE) 6 .
    * Click the "Download" button to the right.
    * Check the box that says: "Accept License Agreement."
    * The page will refresh.
    * Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    * Close any programs you may have running - especially your web browser.
    * Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    o J2SE Runtime Environment 5.0 Update 10
    * Reboot your computer once all Java components are removed.
    * Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

    =========================================

    Lets clean "system restore": INSTRUCTIONS
Sign In or Register to comment.