Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Wierd problem with my internet connection...malware related?


  • Please log in to reply

#1
ericdrawback

ericdrawback

    New Member

  • Member
  • Pip
  • 6 posts
Hi everyone! Over the last couple days I've noticed that if I leave my computer on for an extended period of time (10+ hours)...and try to open IE or firefox, I am unable to get to any webpages...which is wierd because AIM will work fine. The problem seems to resolve itself after I reboot the computer, but it seems to be happening more frequently.

I've done a virus scan, adawareSE scan, and used a couple other anti-malware scanners....any help would be greatly appreciated! Thanks in advance, Eric

Logfile of HijackThis v1.99.1
Scan saved at 9:47:30 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uconn.edu:80
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BrowserFortress] C:\Program Files\Browser Fortress\BrowserFortress.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Eraser] C:\eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - HKCU\..\Run: [WinMedia] C:\361101032253072.exe
O4 - Startup: Banshee Screamer Alarm.lnk = D:\Program Files\Banshee Screamer Alarm\alarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:



Please download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


=======================


Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do not run a scan yet!


========================


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.
  • 0

#3
ericdrawback

ericdrawback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam, thank you for your help! Below is the log you requested, please advise

SmitFraudFix v2.122

Scan done at 11:42:07.60, Sat 11/18/2006
Run from C:\Documents and Settings\Eric Hartlett\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\sites.ini FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\yes-icon.gif FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\CWS_iestart.exe FOUND !
C:\WINDOWS\system32\date.ico FOUND !
C:\WINDOWS\system32\exuc32.tmp FOUND !
C:\WINDOWS\system32\intmon.exe FOUND !
C:\WINDOWS\system32\mirarsearch_toolbar.exe FOUND !
C:\WINDOWS\system32\network.ico FOUND !
C:\WINDOWS\system32\shellgui32.dll FOUND !
C:\WINDOWS\system32\spam.ico FOUND !
C:\WINDOWS\system32\spyware.ico FOUND !
C:\WINDOWS\system32\users32.exe FOUND !
C:\WINDOWS\system32\winsrv32.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eric Hartlett


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eric Hartlett\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ERICHA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now for the fun part.


Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


1. Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

2. Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.


    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
3. Clean out your Temporary Internet files
  • Internet Explorer
    • Close Internet Explorer and close any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.

  • Firefox (In case you also have Firefox installed)
    • Open Firefox and go to Tools -> Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window.
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.


4. Next Click Start -> Control Panel and then double-click Display.
  • Click on the Desktop tab, then click the Customize Desktop button.
  • Click on the Web tab.
  • Under Web Pages you may see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button.
  • Click Ok then Apply and Ok.

5. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


6. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
7. Reboot back into Normal Windows Mode


8. Run SmitfraudFix.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.


    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
9. Please post the following logs:
  • C:\rapport.txt
  • AVG Anti-Spyware log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

  • 0

#5
ericdrawback

ericdrawback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam! I've done everything you've asked; below are my reports. I'm not sure if the process is complete or not...but I must say I am very impressed and extremely grateful to you guys...is there any way I would be able to make a donation to your site?


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:37:49 PM 11/18/2006

+ Scan result:



C:\WINDOWS\system32\ati3d2ag.exe -> Adware.AdSrve : Cleaned with backup (quarantined).
C:\WINDOWS\system32\catsrvps.exe -> Adware.AdSrve : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\system32\axuninstall.exe -> Adware.BlazeFind : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric Hartlett\Desktop\Poke her\SetupPoker.exe -> Adware.Casino : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4FBCB9CF-DA72-BD56-EC50-BD7B5736C970} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\b78b327add10 -> Adware.IEDriver : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP337\A0064175.DLL -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\WINDOWS\Greenstone.bmp:xdhlda -> Adware.OneMoreSearch : Cleaned with backup (quarantined).
C:\WINDOWS\Q331953.log:oxfeim -> Adware.OneMoreSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\PreUninstall.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AC3API25.exe -> Adware.VB : Cleaned with backup (quarantined).
C:\WINDOWS\system32\catsrvut.exe -> Adware.VB : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update.exe -> Adware.WinFetcher : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPrx.prx:ustxni -> Backdoor.Small.dc : Cleaned with backup (quarantined).
C:\WINDOWS\msgsocm.log:akzimn -> Backdoor.Small.dc : Cleaned with backup (quarantined).
C:\WINDOWS\ocmsn.log:dlctii -> Downloader.Agent.ap : Cleaned with backup (quarantined).
C:\ntdetect.hta -> Downloader.Inor.cj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\HjwMt62.exe -> Downloader.VB.em : Cleaned with backup (quarantined).
C:\WINDOWS\system32\JooI3e.exe -> Downloader.VB.em : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NjqM9Y44.exe -> Downloader.VB.em : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Rxzsb.exe -> Downloader.VB.em : Cleaned with backup (quarantined).
C:\WINDOWS\system32\LogFiles\M8291300.so -> Dropper.Agent.om : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{87976CB7-58B6-4F87-AC67-9A4ED8915937}\RP337\A0064174.dll -> Hijacker.VB.bf : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Euniverseads : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Eric Hartlett\Cookies\eric [email protected][1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Popuptraffic : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Eric Hartlett\Local Settings\Temp\Cookies\eric [email protected][1].txt -> TrackingCookie.Ysbweb : Cleaned.
C:\WINDOWS\system32\CTKUvPR.exe -> Trojan.Agent.az : Cleaned with backup (quarantined).
C:\361101032253072.exe -> Trojan.Agent.zq : Cleaned with backup (quarantined).


::Report end
  • 0

#6
ericdrawback

ericdrawback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
SmitFraudFix v2.122

Scan done at 13:49:25.32, Sat 11/18/2006
Run from C:\Documents and Settings\Eric Hartlett\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\adware-sheriff-box.gif Deleted
C:\WINDOWS\adware-sheriff-header.gif Deleted
C:\WINDOWS\antispylab-logo.gif Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\buy-now-btn.gif Deleted
C:\WINDOWS\corner-left.gif Deleted
C:\WINDOWS\corner-right.gif Deleted
C:\WINDOWS\facts.gif Deleted
C:\WINDOWS\footer.gif Deleted
C:\WINDOWS\free-scan-btn.gif Deleted
C:\WINDOWS\h-line-gradient.gif Deleted
C:\WINDOWS\header-bg.gif Deleted
C:\WINDOWS\info.gif Deleted
C:\WINDOWS\no-icon.gif Deleted
C:\WINDOWS\reg-freeze-box.gif Deleted
C:\WINDOWS\reg-freeze-header.gif Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\spyware-sheriff-header.gif Deleted
C:\WINDOWS\spyware-sheriff-box.gif Deleted
C:\WINDOWS\star-grey.gif Deleted
C:\WINDOWS\true-stories.gif Deleted
C:\WINDOWS\sites.ini Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
C:\WINDOWS\windows-compatible.gif Deleted
C:\WINDOWS\yes-icon.gif Deleted
C:\WINDOWS\system32\CWS_iestart.exe Deleted
C:\WINDOWS\system32\date.ico Deleted
C:\WINDOWS\system32\exuc32.tmp Deleted
C:\WINDOWS\system32\intmon.exe Deleted
C:\WINDOWS\system32\mirarsearch_toolbar.exe Deleted
C:\WINDOWS\system32\network.ico Deleted
C:\WINDOWS\system32\shellgui32.dll Deleted
C:\WINDOWS\system32\spam.ico Deleted
C:\WINDOWS\system32\spyware.ico Deleted
C:\WINDOWS\system32\users32.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\winsrv32.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#7
ericdrawback

ericdrawback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:48:43 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uconn.edu:80
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BrowserFortress] C:\Program Files\Browser Fortress\BrowserFortress.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Eraser] C:\eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - Startup: Banshee Screamer Alarm.lnk = D:\Program Files\Banshee Screamer Alarm\alarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We made a lot of progress on that step. Now we need to clean up your log and run a few scans to make sure we get rid of anything that is left over.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {127185C8-3FD9-4F46-B8A4-C0D24E0B89B8} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)



Reboot your computer.


==============


Delete these files, if present.

C:\3611010322516384.exe
C:\WINDOWS\system32\aolmsngr.exe



==============



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.
==============



Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by Buckeye_Sam, 19 November 2006 - 06:37 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP