Sponsored By

malurogo

Ie Custom Tools/safety Features[RESOLVED]

Recommended Posts

I have inadvertently installed what was supposed to be a simple movie add-on and my home page has been hijacked.

On the Add or Remove Programs screen these two appear:IE Custom Tools,IE Safety Features and I can't remove them.

Can anybody please help?

These are the hijack this reports:

Deckard's System Scanner v20071014.68

Run by Yoly on 2007-10-22 19:50:42

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

70: 2007-10-22 18:50:53 UTC - RP296 - Deckard's System Scanner Restore Point

69: 2007-10-22 09:43:02 UTC - RP295 - System Checkpoint

68: 2007-10-20 22:34:39 UTC - RP294 - System Checkpoint

67: 2007-10-19 21:20:43 UTC - RP293 - System Checkpoint

66: 2007-10-18 21:07:23 UTC - RP292 - System Checkpoint

-- First Restore Point --

1: 2007-08-02 18:12:49 UTC - RP227 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as Yoly.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:54:03, on 22/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Video Add-on\isfmntr.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\PROGRA~1\MESSEN~1\msmsgs.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Video Add-on\isfmm.exe

C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Yoly\Desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Yoly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll

O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [xvgmujwqp] c:\windows\system32\xvgmujwqp.exe xvgmujwqp

O4 - HKLM\..\Run: [Picasa Media Detector] D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [FT Desktop news alerts] "C:\Program Files\FT Desktop news alerts\FTDesktopnewsalerts.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [CrawlerMail] c:\progra~1\inbox\cmail.exe /startup

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk = C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload

O8 - Extra context menu item: Download URL in selection with Download Manager - tbr:iemenudownsel

O8 - Extra context menu item: Download URL with Download Manager - tbr:iemenudownload

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Inbox Search - tbr:iemenu

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165445224218

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165447675281

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/NewUploader/ImageUploader4.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O22 - SharedTaskScheduler: bokard - {ab75cc7d-2751-4144-a278-5462d5a5884c} - C:\WINDOWS\system32\dfrep.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Windows Security Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)

--

End of file - 8932 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

R1 StarOpen - c:\windows\system32\drivers\staropen.sys

R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

R2 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~2\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>

R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~2\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>

R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~2\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~2\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

S2 Windows Security Manager - "c:\windows\system32\vcmon.exe" (file missing)

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Modem

Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0

Manufacturer:

Name: PCI Modem

PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0

Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-10-22 10:15:47 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6144042F-5447-427E-8D14-3D5A94F277F8}.job

2007-10-21 17:57:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-09-22 and 2007-10-22 -----------------------------

2007-10-22 19:11:35 0 d-------- C:\Program Files\Video Add-on

-- Find3M Report ---------------------------------------------------------------

2007-10-22 19:53:51 0 d-------- C:\Program Files\Trend Micro

2007-10-20 21:47:48 12800 --a-s---- C:\WINDOWS\system32\dfrep.dll

2007-09-28 09:28:38 0 d-------- C:\Program Files\DC++

2007-09-15 20:45:00 0 d-------- C:\Program Files\Mordor II

2007-09-10 19:25:46 0 d-------- C:\Program Files\WildGames

2007-09-10 17:25:09 0 d-------- C:\Program Files\DevastationZoneTroopers_at

2007-09-10 16:28:37 0 d-------- C:\Program Files\The Dark Legions

2007-09-10 16:27:12 0 d-------- C:\Program Files\MrRobot

2007-09-10 16:26:27 0 d-------- C:\Program Files\Crimsonland

2007-09-10 12:27:44 61440 --a------ C:\WINDOWS\diabswun.exe

2007-09-10 12:27:44 86528 --a------ C:\WINDOWS\bnetunin.exe

2007-09-10 11:06:10 0 d-------- C:\Program Files\Virtual Villagers

2007-09-04 17:42:14 0 d-------- C:\Program Files\Takatis - A Tribute To Manfred Trenz

2007-09-03 16:28:00 276480 --a------ C:\WINDOWS\system32\tyekjvcbnm.exe

2007-09-02 11:40:48 0 d-------- C:\Program Files\MathType

2007-08-31 23:42:34 0 d-------- C:\Program Files\Realore

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]

22/10/2007 19:40 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2003 14:37]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 14:19]

"rsy32"="C:\WINDOWS\System32\rsy32.exe" []

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [19/07/2005 18:32]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 16:24]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 16:14]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [08/03/2006 14:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 19:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 10:36]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [30/09/2003 00:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [21/03/2006 13:19]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]

"NapsterShell"="C:\Program Files\Napster\napster.exe" []

"xvgmujwqp"="c:\windows\system32\xvgmujwqp.exe" [10/09/2007 09:07]

"Picasa Media Detector"="D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [12/12/2006 01:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [06/04/2007 10:17]

"FT Desktop news alerts"="C:\Program Files\FT Desktop news alerts\FTDesktopnewsalerts.exe" []

"MSMSGS"="C:\PROGRA~1\MESSEN~1\msmsgs.exe" [13/10/2004 17:24]

"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" []

"CrawlerMail"="c:\progra~1\inbox\cmail.exe" []

"ares"="C:\Program Files\Ares\Ares.exe" [14/05/2007 23:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Picasa Media Detector"=D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [06/04/2007 10:17:02]

TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [09/06/2006 17:57:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"start"=C:\Program Files\Video Add-on\isfmntr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{ab75cc7d-2751-4144-a278-5462d5a5884c}"= C:\WINDOWS\system32\dfrep.dll [20/10/2007 21:47 12800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-10-22 19:54:50 ------------

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz

Percentage of Memory in Use: 65%

Physical Memory (total/avail): 510 MiB / 176.55 MiB

Pagefile Memory (total/avail): 1248.8 MiB / 851.99 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1915.99 MiB

A: is Removable (No Media)

C: is Fixed (NTFS) - 50.85 GiB total, 8.07 GiB free.

D: is Fixed (NTFS) - 23.66 GiB total, 5.7 GiB free.

E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 2 partitions

\PARTITION0 (bootable) - Installable File System - 50.85 GiB - C:

\PARTITION1 - Extended w/Extended Int 13 - 23.66 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

Windows Internal Firewall is enabled.

FW: Trend Micro PC-cillin Internet Security (Firewall) v14 (Trend Micro, Inc.)

AV: Trend Micro PC-cillin Internet Security 2006 v14.10.1041 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"C:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"="C:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe:*:Enabled:MinionsOfMirth"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"

"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"

"C:\\Program Files\\Yahoo! Games\\Alien Shooter\\AlienShooter.exe"="C:\\Program Files\\Yahoo! Games\\Alien Shooter\\AlienShooter.exe:*:Disabled:AlienShooter Application"

"C:\\Program Files\\Yahoo! Games\\Blackhawk Striker 2\\Blackhawk2.exe"="C:\\Program Files\\Yahoo! Games\\Blackhawk Striker 2\\Blackhawk2.exe:*:Enabled:Black Hawk Striker 2"

"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"

"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX01.594\\emule.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX01.594\\emule.exe:*:Enabled:eMule"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"="C:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe:*:Enabled:MinionsOfMirth"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Yoly\Application Data

CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=MARCO

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Yoly

LOGONSERVER=\\MARCO

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Samsung\Samsung PC Studio 3\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0209

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Yoly\LOCALS~1\Temp

TMP=C:\DOCUME~1\Yoly\LOCALS~1\Temp

USERDOMAIN=MARCO

USERNAME=Yoly

USERPROFILE=C:\Documents and Settings\Yoly

windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)

Yoly (admin)

Guest (guest)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}

Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}

Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}

Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}

Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}

Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}

Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"

AVIcodec (remove only) --> "C:\Program Files\AVIcodec\uninst.exe"

Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033

Caesar 3 --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Caesar3\Uninst.isu

Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x9 -Uninstall

Canon MP Navigator 3.0 --> "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini

Canon MP Toolbox 4.1.1.0.mp10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x9 -Uninstall

Canon MP160 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009

Canon MP160 User Registration --> C:\Program Files\Canon\IJEREG\MP160\UNINST.EXE

Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini

Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"

DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

eMule --> "C:\Program Files\eMule\Uninstall.exe"

Encyclopaedia Britannica Deluxe Edition 2004 CD-ROM --> "C:\Program Files\Britannica 2004\Encyclopaedia Britannica 2004 Deluxe Edition\UninstallerData\Uninstall Encyclopaedia Britannica 2004 Deluxe Edition.exe"

FATE --> "C:\Program Files\WildGames\FATE\Uninstall.exe"

FinePixViewer Ver.4.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"

FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"

Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}

Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

IE Custom Tools --> "C:\Program Files\Video Add-on\ictun.exe"

IE Safety Features --> "C:\Program Files\Video Add-on\isfun.exe"

Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562

iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}

Libros en pantalla de Microsoft SQL Server 2005 (español) (abril de 2006) --> MsiExec.exe /I{3E40C7A9-027C-4906-98AC-71AD0E84F143}

Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL

Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG

Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9

Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT

Macromedia Flash Player 8 --> MsiExec.exe /X{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}

MathType 5 --> "C:\Program Files\MathType\Setup.exe" -R

Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120

Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}

Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

nFLVPlayer --> "C:\Program Files\zeraha.org\nFLVPlayer\unins000.exe"

PHStat2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8928A887-1321-11D6-A1EC-C98533E76960}

Picasa 2 --> "D:\new\my documents\My Downloads\Picasa2\Uninstall.exe"

QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}

SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe

SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe

Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe

SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe

SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe

Samsung PC Studio 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly

ScanSoft OmniPage SE 4.0 --> MsiExec.exe /I{29D851C2-048C-4B5E-8D1F-25D473342BB5}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Sierra Utilities --> .\sutil32.exe uninstall

Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"

Sony Ericsson PC Suite --> MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}

SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Takatis - A Tribute To Manfred Trenz --> "C:\Program Files\Takatis - A Tribute To Manfred Trenz\Uninstall Takatis - A Tribute To Manfred Trenz.exe"

TalkTalk SNU5630NS/05 Wireless USB Adapter --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4622F6EA-5EB3-49A9-AE31-4A960B85F46A}

Trend Micro PC-cillin Internet Security 2006 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}

Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Safety Alert --> C:\Documents and Settings\Owner\Local Settings\Temp\laf1.exe /del

WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

Xenon 2000 - Project PCF --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93EE3C83-725F-4EA4-891A-CD6B019FCDC1}\Setup.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type3690 / Warning

Event Submitted/Written: 10/22/2007 07:40:55 PM

Event ID/Source: 32068 / Microsoft Fax

Event Description:

The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.

Country/region code: '*'

Area code: '*'

Event Record #/Type3689 / Warning

Event Submitted/Written: 10/22/2007 07:40:55 PM

Event ID/Source: 32026 / Microsoft Fax

Event Description:

Fax Service failed to initialize any assigned fax devices (virtual or TAPI).

No faxes can be sent or received until a fax device is installed.

Event Record #/Type3685 / Error

Event Submitted/Written: 10/22/2007 07:39:41 PM

Event ID/Source: 4609 / EventSystem

Event Description:

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type3684 / Error

Event Submitted/Written: 10/22/2007 07:39:40 PM

Event ID/Source: 4609 / EventSystem

Event Description:

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type3679 / Warning

Event Submitted/Written: 10/22/2007 07:34:43 PM

Event ID/Source: 32068 / Microsoft Fax

Event Description:

The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.

Country/region code: '*'

Area code: '*'

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type28308 / Error

Event Submitted/Written: 10/22/2007 07:39:02 PM

Event ID/Source: 7034 / Service Control Manager

Event Description:

The WebClient service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type28307 / Error

Event Submitted/Written: 10/22/2007 07:39:02 PM

Event ID/Source: 7031 / Service Control Manager

Event Description:

The Universal Plug and Play Device Host service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type28306 / Error

Event Submitted/Written: 10/22/2007 07:39:02 PM

Event ID/Source: 7034 / Service Control Manager

Event Description:

The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type28305 / Error

Event Submitted/Written: 10/22/2007 07:39:02 PM

Event ID/Source: 7034 / Service Control Manager

Event Description:

The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type28287 / Error

Event Submitted/Written: 10/22/2007 07:38:57 PM

Event ID/Source: 7034 / Service Control Manager

Event Description:

The DNS Client service terminated unexpectedly. It has done this 1 time(s).

-- End of Deckard's System Scanner: finished at 2007-10-22 19:54:50 ------------

Share this post


Link to post
Share on other sites

Marco,

Hi, and welcome to Besttechie.net. You have a few problems in your log, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • If it wants to install an ActiveX component allow it
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the rapport.txt, the Activescan report, and a new hijackthis log in your reply.

Thanks,

sari

Share this post


Link to post
Share on other sites
Marco,

Hi, and welcome to Besttechie.net. You have a few problems in your log, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • If it wants to install an ActiveX component allow it
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the rapport.txt, the Activescan report, and a new hijackthis log in your reply.

Thanks,

sari

Hi Sari and thanks for your help.

I have got rid of those two buggers but my homepage remains hijacked by this website:http://asecurityassurance.com/ I've tried to change it to my usual using Internet Options but it will not allow me to do so. Another problem I have is that whenever I try to acces PDF type web pages my browser closes automatically.

These are the reports you requested:

SmitFraudFix v2.240

Scan done at 19:02:00.67, 24/10/2007

Run from C:\Documents and Settings\Yoly\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{ab75cc7d-2751-4144-a278-5462d5a5884c}"="bokard"

[HKEY_CLASSES_ROOT\CLSID\{ab75cc7d-2751-4144-a278-5462d5a5884c}\InProcServer32]

@="C:\WINDOWS\system32\dfrep.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ab75cc7d-2751-4144-a278-5462d5a5884c}\InProcServer32]

@="C:\WINDOWS\system32\dfrep.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\dfrep.dll -> Hoax.Win32.Renos.gen.o

C:\WINDOWS\system32\dfrep.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Incident Status Location

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmdl.dll

Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}

Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d}

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Deckard\System Scanner\20071024184951\backup\WINDOWS\temp\NSIS_Install_igb.exe

Potentially unwanted tool:Application/SpywareSecure Not disinfected C:\Deckard\System Scanner\20071024184951\backup\WINDOWS\temp\NSIS_SpywareSecure_trial_setup.exe

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.112.2o7.net/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.2o7.net/]

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.adultfriendfinder.com/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.bravenet.com/]

Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.cs.sexcounter.com/]

Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.paycounter.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.weborama.fr/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[www.web-stat.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\pskill.exe

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.advertising.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[hc2.humanclick.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[hc2.humanclick.com/hc/87506651]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[bilbo.counted.com/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.tradedoubler.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.bluestreak.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.perf.overture.com/]

Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.adviva.net/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.zedo.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][3].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\Process.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\Reboot.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\restart.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix.exe

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Yoly\Local Settings\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\Cache\51F1B901d01

Potentially unwanted tool:Application/SpywareSecure Not disinfected C:\Documents and Settings\Yoly\My Documents\My Videos\SpywareSecure_trial_setup.exe

Adware:Adware/PC-Prot Not disinfected C:\Program Files\Video Add-on\ictun.exe

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmm.exe

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmntr.exe

Adware:Adware/Trymedia Not disinfected C:\RECYCLER\S-1-5-21-1060284298-602162358-839522115-1003\Dc143.exe

Adware:Adware/Trymedia Not disinfected C:\RECYCLER\S-1-5-21-1060284298-602162358-839522115-1003\Dc145.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected D:\NAPO\my documents\My Downloads\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected D:\NAPO\my documents\My Downloads\smitRem.exe[smitRem/Process.exe]

Virus:Trj/Downloader.FA Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[aud-cnet9.exe]

Virus:Trj/Downloader.EF Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[augscrsvr.exe]

Spyware:Spyware/Systemcheck Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[dolphinschk.exe]

Potentially unwanted tool:Application/MyWay Not disinfected D:\NAPO\my documents\Screensavers\ocean.EXE

Adware:Adware/Exact.SearchBar Not disinfected D:\NAPO\my documents\Screensavers\Real-3D-Matrix.exe[data\App\4\exact.exe]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:14:44, on 25/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\PROGRA~1\MESSEN~1\msmsgs.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll

O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Picasa Media Detector] D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [FT Desktop news alerts] "C:\Program Files\FT Desktop news alerts\FTDesktopnewsalerts.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [CrawlerMail] c:\progra~1\inbox\cmail.exe /startup

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk = C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload

O8 - Extra context menu item: Download URL in selection with Download Manager - tbr:iemenudownsel

O8 - Extra context menu item: Download URL with Download Manager - tbr:iemenudownload

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Inbox Search - tbr:iemenu

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165445224218

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165447675281

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/NewUploader/ImageUploader4.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Windows Security Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)

--

End of file - 8227 bytes

Share this post


Link to post
Share on other sites

marco,

You had a new variant of smitfraud that the tool didn't get. I notified the developer and he updated it last night. I'd like you to delete your current version of smitfraudfix.

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Thanks,

sari

Edited by sari

Share this post


Link to post
Share on other sites
marco,

You had a new variant of smitfraud that the tool didn't get. I notified the developer and he updated it last night. I'd like you to delete your current version of smitfraudfix.

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Thanks,

sari

hI Sari,

Following your instructions I've installed the newest version of Smitfraud and tried to run it on Safe Mode but I can't do it.

When I click on smitfraudfix.cmd a new window opens where it prompts me to press a key, I do this and the computer gets blocked. I can only turn it off and restart again and the same thing happens time and time again.

Another thing: this virus has also hijacked my Antivirus program which I cannot access.

thanks

Marco

Share this post


Link to post
Share on other sites

Marco,

I just re-read my instructions and realized they're outdated. Smitfraudfix is an executable file - you should just be able to doubleclick on the icon to run it. Then you get a message about joedanger not being involved with the program, and are asked to press any key to continue. Is that what happens? What do you mean by your computer gets blocked?

sari

Share this post


Link to post
Share on other sites
Marco,

I just re-read my instructions and realized they're outdated. Smitfraudfix is an executable file - you should just be able to doubleclick on the icon to run it. Then you get a message about joedanger not being involved with the program, and are asked to press any key to continue. Is that what happens? What do you mean by your computer gets blocked?

sari

Yes that's what happens, I've tried again but clicking on the smitfraudfix icon directly, I press any key and the program doesn't run it gets stuck. I can't move the cursor or do anything so I have to manually switch off the computer.

Marco

Share this post


Link to post
Share on other sites

Marco,

I have a couple of things for you to do.

Please download Navilog1 by IL-MAFIOSO:

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.

* Double click on navilog1.exe to install it on your computer.

* When the installation is complete, the tool will start automatically.

* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.

* Press E for English from the language Menu.

* Type 1 in the next Menu to select Search and press Enter.

* Wait for the Scan to finish (It may take a reasonable amount of time)

* Press any key as requested .

* A new document will be produced: fixnavi.txt.

* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now, it may be that the Activescan deleted part of your Combofix. Please download it again, then follow the directions below:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please include the fixnavi.txt, the sdfix log, the smitfraudfix log, and a new hijackthis log in your reply.

thanks,

sari

Share this post


Link to post
Share on other sites
Marco,

I have a couple of things for you to do.

Please download Navilog1 by IL-MAFIOSO:

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.

* Double click on navilog1.exe to install it on your computer.

* When the installation is complete, the tool will start automatically.

* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.

* Press E for English from the language Menu.

* Type 1 in the next Menu to select Search and press Enter.

* Wait for the Scan to finish (It may take a reasonable amount of time)

* Press any key as requested .

* A new document will be produced: fixnavi.txt.

* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now, it may be that the Activescan deleted part of your Combofix. Please download it again, then follow the directions below:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please include the fixnavi.txt, the sdfix log, the smitfraudfix log, and a new hijackthis log in your reply.

thanks,

sari

Hi Sari,

Thanks very much for your patient help. Bad news I'm afraid. I've got the same problem as when I tried to run Smitfraudfix on Safe Mode; I can't do it, when I type Y to run the program nothing happens and the cursor gets still I can't move it and my only alternative as far as I can see is to reboot the computer.

Another thing that may be relevant: every time I log on to my account the following message appears: "TmPfw has encountered a problem and needs to close. We are sorry for the inconvenience." This message didn't appear before the virus infected my PC.

Thanks again

Marco

Share this post


Link to post
Share on other sites

Marco,

I've had a couple of experts look at this, and we're a little confused as to why it won't run, especially since it did before. I'm going to have you run a different program to see if it cleans anything up and shows us some additional information.

Download ComboFix from Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Thanks,

sari

Edited by sari

Share this post


Link to post
Share on other sites
Marco,

I've had a couple of experts look at this, and we're a little confused as to why it won't run, especially since it did before. I'm going to have you run a different program to see if it cleans anything up and shows us some additional information.

Download ComboFix from Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Thanks,

sari

Hi Sari,

Here are the logs you asked for:

ComboFix 07-11-08.1 - Owner 2007-11-07 17:45:42.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT 0:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\pack.epk

c:\WINDOWS\system32\fxgenyl.dat

c:\windows\system32\fxgenyl.exe

C:\WINDOWS\system32\fxgenyl_nav.dat

C:\WINDOWS\system32\fxgenyl_navps.dat

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\u2g.f

C:\WINDOWS\system32\winiconmon.ico

C:\WINDOWS\system32\winiconmon.ico.bak0

.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))

.

2007-11-07 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-05 13:17 <DIR> d-------- C:\Program Files\Navilog1

2007-10-28 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-10-25 13:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-10-25 13:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-10-25 13:09 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-10-25 13:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-10-25 13:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-10-24 18:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-10-24 18:02 3,942 --a------ C:\WINDOWS\system32\tmp.reg

2007-10-22 18:50 <DIR> d-------- C:\Deckard

2007-10-22 18:11 <DIR> d-------- C:\Program Files\Video Add-on

2007-10-10 09:32 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-28 19:09 --------- d-----w C:\Program Files\Apple Software Update

2007-10-24 23:10 --------- d-----w C:\Program Files\QuickTime

2007-10-24 23:06 --------- d-----w C:\Program Files\iTunes

2007-10-24 22:57 --------- d-----w C:\Program Files\Ares

2007-10-24 19:50 --------- d-----w C:\Program Files\Common Files\Adobe

2007-10-24 07:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2007-10-22 18:53 --------- d-----w C:\Program Files\Trend Micro

2007-09-28 08:28 --------- d-----w C:\Program Files\DC++

2007-09-15 19:45 --------- d-----w C:\Program Files\Mordor II

2007-09-11 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent

2007-09-10 18:25 --------- d-----w C:\Program Files\WildGames

2007-09-10 16:25 --------- d-----w C:\Program Files\DevastationZoneTroopers_at

2007-09-10 15:28 --------- d-----w C:\Program Files\The Dark Legions

2007-09-10 15:27 --------- d-----w C:\Program Files\MrRobot

2007-09-10 15:26 --------- d-----w C:\Program Files\Crimsonland

2007-09-10 11:27 86,528 ----a-w C:\WINDOWS\bnetunin.exe

2007-09-10 11:27 61,440 ----a-w C:\WINDOWS\diabswun.exe

2007-09-10 10:06 --------- d-----w C:\Program Files\Virtual Villagers

2007-09-03 15:28 276,480 ----a-w C:\WINDOWS\system32\tyekjvcbnm.exe

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-16 16:24 25,980,320 ----a-w C:\Program Files\FLV PlayerRCSetup.exe

2007-04-16 16:24 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe

2006-12-06 19:52 1,703 ----a-w C:\Program Files\tileb-hx.ide

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]

2007-10-24 17:48 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-22 18:11 78336]

[HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-22 18:11 78336]

[HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 13:37]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 13:19]

"rsy32"="C:\WINDOWS\System32\rsy32.exe" []

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 23:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 12:19]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]

"NapsterShell"="C:\Program Files\Napster\napster.exe" []

"Picasa Media Detector"="D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [2006-12-12 00:36]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-06 09:17]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]

"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 22:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Picasa Media Detector"=D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-06 09:17:02]

TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [2006-06-09 16:57:50]

S2 Windows Security Manager;Windows Security Manager;"C:\WINDOWS\system32\vcmon.exe"

S3 CPTWGU(TalkTalk);TalkTalk SNU5630NS/05 Wireless USB Adapter(TalkTalk);C:\WINDOWS\system32\DRIVERS\CPTWGU.sys

.

Contents of the 'Scheduled Tasks' folder

"2007-11-01 13:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-11-07 17:37:58 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6144042F-5447-427E-8D14-3D5A94F277F8}.job"

- C:\WINDOWS\system32\msfeedssync.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-08 17:48:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-08 17:49:18

.

--- E O F ---

Deckard's System Scanner v20071014.68

Run by Owner on 2007-11-08 17:50:00

Computer is in Normal Mode.

--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:50:26, on 08/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Owner\Desktop\dss.exe

C:\WINDOWS\system32\msfeedssync.exe

D:\NAPO\MYDOCU~1\MYDOWN~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll

O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Picasa Media Detector] D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk = C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165445224218

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165447675281

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/NewUploader/ImageUploader4.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Windows Security Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)

--

End of file - 7897 bytes

-- Files created between 2007-10-08 and 2007-11-08 -----------------------------

2007-11-05 13:17:38 0 d-------- C:\Program Files\Navilog1

2007-10-28 19:09:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-10-25 13:09:47 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-10-25 13:09:47 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2007-10-25 13:09:47 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-10-25 13:09:47 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-10-25 13:09:47 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-10-24 18:14:00 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-10-24 18:02:06 3942 --a------ C:\WINDOWS\system32\tmp.reg

2007-10-24 17:43:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera

2007-10-22 18:11:35 0 d-------- C:\Program Files\Video Add-on

-- Find3M Report ---------------------------------------------------------------

2007-10-28 19:09:52 0 d-------- C:\Program Files\Apple Software Update

2007-10-25 12:29:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

2007-10-24 23:10:53 0 d-------- C:\Program Files\QuickTime

2007-10-24 23:06:39 0 d-------- C:\Program Files\Messenger

2007-10-24 23:06:15 0 d-------- C:\Program Files\iTunes

2007-10-24 22:57:06 0 d-------- C:\Program Files\Ares

2007-10-24 19:50:26 0 d-------- C:\Program Files\Common Files\Adobe

2007-10-24 07:52:45 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM

2007-10-22 18:53:51 0 d-------- C:\Program Files\Trend Micro

2007-09-28 08:28:38 0 d-------- C:\Program Files\DC++

2007-09-15 19:45:00 0 d-------- C:\Program Files\Mordor II

2007-09-10 18:25:46 0 d-------- C:\Program Files\WildGames

2007-09-10 16:25:09 0 d-------- C:\Program Files\DevastationZoneTroopers_at

2007-09-10 15:28:37 0 d-------- C:\Program Files\The Dark Legions

2007-09-10 15:27:12 0 d-------- C:\Program Files\MrRobot

2007-09-10 15:26:27 0 d-------- C:\Program Files\Crimsonland

2007-09-10 11:27:44 61440 --a------ C:\WINDOWS\diabswun.exe

2007-09-10 11:27:44 86528 --a------ C:\WINDOWS\bnetunin.exe

2007-09-10 10:06:10 0 d-------- C:\Program Files\Virtual Villagers

2007-09-03 15:28:00 276480 --a------ C:\WINDOWS\system32\tyekjvcbnm.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]

24/10/2007 17:48 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [22/10/2007 18:11 78336]

[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2003 13:37]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 13:19]

"rsy32"="C:\WINDOWS\System32\rsy32.exe" []

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [19/07/2005 17:32]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 15:24]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 15:14]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [08/03/2006 13:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 09:36]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [29/09/2003 23:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [21/03/2006 12:19]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 21:32]

"NapsterShell"="C:\Program Files\Napster\napster.exe" []

"Picasa Media Detector"="D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [12/12/2006 00:36]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [06/04/2007 09:17]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [08/06/2005 14:44]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]

"ares"="C:\Program Files\Ares\Ares.exe" [14/05/2007 22:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Picasa Media Detector"=D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 18:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [06/04/2007 09:17:02]

TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [09/06/2006 16:57:50]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-11-08 17:50:52 ------------

Share this post


Link to post
Share on other sites

Marco,

That was helpful in finding some information. I have a different fix for you to run now.

Open a new Notepad file, then "Copy/Paste" the text in the Codebox below into it (including the URL up top):

http://www.besttechie.net/forums/index.php?showtopic=12807

Collect::
C:\WINDOWS\system32\tyekjvcbnm.exe

Suspect::
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe

File::
C:\WINDOWS\system32\vcmon.exe

Folder::
C:\Program Files\Video Add-on

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rsy32"=-
"NapsterShell"=-

Driver::
Windows Security Manager

Save this as CFScript.txt on your Desktop.

CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will run.

Additonally, ComboFix will generate the following files on your Desktop :

  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm

ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :

  • Click the "Browse" button and locate the Submit [Date Time].zip file on your Desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"

Once the file has been submitted, you may DELETE both files on your Desktop.

Post the following reports/logs into your next reply:

- Combofix.txt

- A new HijackThis log

Thanks,

sari

Share this post


Link to post
Share on other sites
Marco,

That was helpful in finding some information. I have a different fix for you to run now.

Open a new Notepad file, then "Copy/Paste" the text in the Codebox below into it (including the URL up top):

http://www.besttechie.net/forums/index.php?showtopic=12807

Collect::
C:\WINDOWS\system32\tyekjvcbnm.exe

Suspect::
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe

File::
C:\WINDOWS\system32\vcmon.exe

Folder::
C:\Program Files\Video Add-on

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rsy32"=-
"NapsterShell"=-

Driver::
Windows Security Manager

Save this as CFScript.txt on your Desktop.

CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will run.

Additonally, ComboFix will generate the following files on your Desktop :

  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm

ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :

  • Click the "Browse" button and locate the Submit [Date Time].zip file on your Desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"

Once the file has been submitted, you may DELETE both files on your Desktop.

Post the following reports/logs into your next reply:

- Combofix.txt

- A new HijackThis log

Thanks,

sari

Hi Sari,

Sorry for the delay in replying. I've followed all your instructions and attached both reports you asked for. A funny thing happened: my Antivirus programme expired and on downloading the new one, thus getting rid of the older version, things seem to have got a lot better. My homepage is not longer hijacked. Could it be that the virus was in my antivitus programme?

Thanks

Marco

log.txt

main.txt

Share this post


Link to post
Share on other sites

Hi, I was also experiencing problems with IE Tools and IE Safety Features. I followed your instructions and was successful in finally removing them from my system. I'm attaching the ComboFix log. that was populated after my scan was completed. I didn't know how I was going to get rid of it. Thanks, Yolanda

**************************************************************************

ComboFix_Log.txt

Share this post


Link to post
Share on other sites

I have one other problem that I would like assistance with. I can't get rid of the shortcut to this link in my taskbar. http://www.virprotect.com/?aff=1012 I have attempted to uninstall it but it doesnt appear in the list of programs. Any suggestions? Also, this link was inadvertantly accessed while my machine was without antivirus protection, could this be negatively affecting my system?

Hi, I was also experiencing problems with IE Tools and IE Safety Features. I followed your instructions and was successful in finally removing them from my system. I'm attaching the ComboFix log. that was populated after my scan was completed. I didn't know how I was going to get rid of it. Thanks, Yolanda

**************************************************************************

Share this post


Link to post
Share on other sites

Marco,

My turn to apologize for the delay - last week's holiday really put me behind.

It's possible that since your anti-virus had expired, it wasn't up-to-date with definitions, and downloading a new one gave you more current protection. You definitely had some nasty files that the last round with combofix should have also cleared up.

How is everything still running? No more popups or anything?

sari

Share this post


Link to post
Share on other sites
Marco,

My turn to apologize for the delay - last week's holiday really put me behind.

It's possible that since your anti-virus had expired, it wasn't up-to-date with definitions, and downloading a new one gave you more current protection. You definitely had some nasty files that the last round with combofix should have also cleared up.

How is everything still running? No more popups or anything?

sari

Hi Sari,

Things seem to be a lot better, thank yoy very much for all your help. you guys do a great job!!

Take care

Marco

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.