Smitfraud-c toolbar888 virus - Safer-Networking Forums

unskilled · 2007-03-23, 08:23

ok, i've seen alot of threads on this virus, but it seems everyone's case is unique. hence i suppose i should make a new thread showing what's wrong on my comp, and hope you guys can help me. the virus has hit the family comp, so it affects most people in the house.

HJT log file

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\Downloads\HiJackThis_v2\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用KuGoo3下载(&K) - C:\PROGRA~1\KuGoo3\KuGoo3DownX.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

thanks

pskelley · 2007-03-23, 12:53

Welcome to the forum, some information first.

1) Make sure you have read and followed these instructions:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288

2) Please READ: Which HJT Version to use! http://forums.spybot.info/showthread.php?t=12274
When you post the next log, do not cut the first four lines off. Notepad > Edit > Select all > copy/paste.

3) See this: http://forums.spybot.info/showthread.php?t=8668 is Spybot the program finding this item and do you have other reasons to suspect a Smitfraud infection. Provide more information so I can help you. Do you have multiple users on the computer.

4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow only these directions:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

Restart the computer and post any information I requested, the C:\report.txt from Smitfraudfix and a new HJT log using version 1.99.1. Please delete the other version.

Thanks

unskilled · 2007-03-24, 02:25

panda scan

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.azjmp.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\Process.exe
Spyware:Spyware/SafeSurf Not disinfected C:\EHD\H\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll]
Virus:Generic Trojan Not disinfected C:\EHD\H\Downloads\kugoo.exe[KUGOU_YASSIST.EXE][wmpns.dll]
Virus:Generic Trojan Not disinfected G:\System Volume Information\_restore{0BBCEA33-00FC-4CB0-A790-F29D4AB84647}\RP74\A0017143.EXE[wmpns.dll]
Spyware:Spyware/SafeSurf Not disinfected H:\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll]
Virus:Generic Trojan Not disinfected H:\Downloads\KUGOO.EXE[KUGOU_YASSIST.EXE][wmpns.dll]

HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 11:57:59 AM, on 24/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
H:\Downloads\New Folder\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ê¹ÓÃKuGoo3ÏÂÔØ(&K) - C:\PROGRA~1\KuGoo3\KuGoo3DownX.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

unskilled · 2007-03-24, 02:25

smitfraudfix report

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.azjmp.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\Process.exe
Spyware:Spyware/SafeSurf Not disinfected C:\EHD\H\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll]
Virus:Generic Trojan Not disinfected C:\EHD\H\Downloads\kugoo.exe[KUGOU_YASSIST.EXE][wmpns.dll]
Virus:Generic Trojan Not disinfected G:\System Volume Information\_restore{0BBCEA33-00FC-4CB0-A790-F29D4AB84647}\RP74\A0017143.EXE[wmpns.dll]
Spyware:Spyware/SafeSurf Not disinfected H:\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll]
Virus:Generic Trojan Not disinfected H:\Downloads\KUGOO.EXE[KUGOU_YASSIST.EXE][wmpns.dll]

ok, about my infection, my sister got it by clicking on a link through msn while her friend had the virus. hence the infection activates everytime msn is opened.
i cleaned the comp using vaious programs, but most of them came back clean.
when i first used spybot, it showed me i had like ~30 infections, including systemdoctor2006, which automaticaly downloads smitfraud-c and other infections. but since cleaning it that time, the infection just keeps reappearing, even when systemdoctor2006 is gone.

hope this helps

pskelley · 2007-03-24, 02:42

It looks like you posted a Panda scan results twice? This is the information I requested:

Quote:

Restart the computer and post any information I requested, the C:\report.txt from Smitfraudfix and a new HJT log using version 1.99.1. Please delete the other version.

I need to see the C:\rapport.txt from Smitfruadfix to see if we need to remove Smitfraud before we proceed.

Thanks

unskilled · 2007-03-24, 02:58

oops sorry, thought it was with the rest

SmitFraudFix v2.153

Scan done at 12:02:55.03, 24/03/2007 Sat
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley · 2007-03-24, 11:45

No problem and thanks, the Smitfraud report is clean. I am not seeing a lot in the HJT log either, I need to know more about this

Quote:

the virus has hit the family comp

1) HJT needs to run from a drive to save backups for safety if we need to use it. Please move it here: C:\HJT\HijackThis.exe
http://russelltexas.com/malware/createhjtfolder.htm <<< tutorial if needed

2) Are there more than one user account on the computer?

3) Describe this "virus"

Quote:

the infection just keeps reappearing

What appears and where, what program is identifying it.

4)

Quote:

hence the infection activates everytime msn is opened.

Explain what you mean there, what infection? What is the name of the virus, the name of the file, location of the item? and how does it activate?

5) The Panda scan is showing mostly cookies, see thing information:
http://privacy.getnetwise.org/browsi...disablecookies
http://mozilla.gunnars.net/firefox_h..._tutorial.html
http://www.mozilla.org/projects/secu...priv_help.html

6) Follow the instructions in this link and run AVG Anti-Spyware according to them. Be sure to delete or at least quarantine anything it finds.
http://forums.security-central.us/showthread.php?t=3165

7) Uninstall Manager >>> Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart the computer and post any information I requested, the uninstall list, a new HJT log and any comments you think will help.

Thanks

unskilled · 2007-03-24, 14:52

yes there are 3 users on this computer
the virus is a trojan.vundo, which reappears everytime i reboot the computer. norton detects and clears it.
it comes in the form of a .dll file, and the letters are always random.
about msn, when i open it, i lose control of the mouse. if i log in, it will automatically open up chat windows, and from what other people say, it sends a meg with a link, probably to the infection site.
i think this is how my sister got the virus in the first place.

7) Uninstall Manager >>> Open Hijackthis.
wheres the uninstall manager?

pskelley · 2007-03-24, 16:02

Sounds like you have pretty good mess of hidden junk!. I will start my saying this computer needs to be taken out of service until we get it cleaned, I would use it ONLY when you are troubleshooting. I will need to see a HJT log for ech user, marked plainly for what user it belongs to but not until I ask for them. Since it sounds like information is being sent from your computer, until we identify and remove the junk you will want to take action to protect yourself, this information will help:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

How to use the Uninstall Manager
To access the Uninstall Manager you would do the following:
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://www.bleepingcomputer.com/tuto...42.html#uniman
http://www.bleepingcomputer.com/tuto...utorial42.html

This folder: C:\HJT\HijackThis.exe <<< return here and rename HijackThis.exe, call it unskilled.exe or whatever. Vundo may show up after a reboot.

Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/...ht/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
(Do not remove anything, most if not all files are valid)

Restart the computer and post the uninstall list, the results of the BlackLight scan, a new HJT log and any comments you think will help.

Thanks

unskilled · 2007-03-24, 23:48

AVG scan report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:22:01 AM 25/03/2007

+ Scan result:

C:\Program Files\Mozilla Firefox\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : No action taken.
C:\System Volume Information\_restore{6777EED4-46BD-4AE5-A0E4-09B4AF1ECD7D}\RP99\A0020807.exe -> Adware.SmiUpdate : No action taken.
:mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.164:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.38:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.39:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.40:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.41:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.100:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.94:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.95:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.96:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.98:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.99:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.232:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.233:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.211:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.212:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.213:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.214:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.215:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.216:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.37:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.222:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.223:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.224:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.225:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.115:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.116:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.117:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.123:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.122:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.151:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.152:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.153:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.154:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.65:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.66:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.34:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.35:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.82:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.84:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.217:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.240:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.69:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.77:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.78:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\My Documents\My Received Files\MSPro v3a.zip/MSPro v3a/MSPro.exe -> Trojan.Small : No action taken.
C:\My Documents\My Received Files\MSPro v3a.zip/MSPro v3a/TestPad.exe -> Trojan.Small : No action taken.
C:\My Documents\sidney\dunno\MSPro v3a.zip/MSPro v3a/MSPro.exe -> Trojan.Small : No action taken.
C:\My Documents\sidney\dunno\MSPro v3a.zip/MSPro v3a/TestPad.exe -> Trojan.Small : No action taken.

::Report end

uninstall list

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HydraVision
AVG Anti-Spyware 7.5
Azureus
BA Installer
CASIO ClassPad Manager ClassPad 300
DivX
DivX Player
DVD Shrink 3.2
EPSON CardMonitor
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan Tool Light 1.0
EPSON Web-To-Page
ESCX1500 Reference Guide
ESCX1500 Software Guide
EvilLyrics
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hamachi 1.0.1.5
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
i-Cool
Inspiration 8
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Japanese Fonts Support For Adobe Reader 8
LimeWire 4.12.6
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Shockwave Player
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Windows Journal Viewer
MindManager 2002
Mozilla Firefox (2.0.0.3)
Neopets
Nero 6 Ultra Edition
Panda ActiveScan
PeerGuardian 2.0
PIF DESIGNER2.1
PowerDVD
PowerQuest PartitionMagic 8.0
PPStream
QuickTime
Real Alternative 1.48
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
ScanToWeb
SmartSound Quicktracks Plugin
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy 1.4
StyleXP (remove only)
Symantec AntiVirus
Ulead VideoStudio 10
Winamp (remove only)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
WinRAR archiver

blacklight scan found nothing.

2007-03-23, 08:23	#1
unskilled Junior Member Join Date: Mar 2007 Posts: 13	Smitfraud-c toolbar888 virus ok, i've seen alot of threads on this virus, but it seems everyone's case is unique. hence i suppose i should make a new thread showing what's wrong on my comp, and hope you guys can help me. the virus has hit the family comp, so it affects most people in the house. HJT log file Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Mozilla Firefox\firefox.exe H:\Downloads\HiJackThis_v2\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file) O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe" O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 使用KuGoo3下载(&K) - C:\PROGRA~1\KuGoo3\KuGoo3DownX.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe thanks

2007-03-23, 12:53	#2
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	Welcome to the forum, some information first. 1) Make sure you have read and followed these instructions: "BEFORE you POST" Mandatory Steps Before Requesting Assistance http://forums.spybot.info/showthread.php?t=288 2) Please READ: Which HJT Version to use! http://forums.spybot.info/showthread.php?t=12274 When you post the next log, do not cut the first four lines off. Notepad > Edit > Select all > copy/paste. 3) See this: http://forums.spybot.info/showthread.php?t=8668 is Spybot the program finding this item and do you have other reasons to suspect a Smitfraud infection. Provide more information so I can help you. Do you have multiple users on the computer. 4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow only these directions: Search: Double-click SmitfraudFix.exe Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consultin...rocessutil.htm Restart the computer and post any information I requested, the C:\report.txt from Smitfraudfix and a new HJT log using version 1.99.1. Please delete the other version. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

2007-03-24, 16:02	#9
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	Sounds like you have pretty good mess of hidden junk!. I will start my saying this computer needs to be taken out of service until we get it cleaned, I would use it ONLY when you are troubleshooting. I will need to see a HJT log for ech user, marked plainly for what user it belongs to but not until I ask for them. Since it sounds like information is being sent from your computer, until we identify and remove the junk you will want to take action to protect yourself, this information will help: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 How to use the Uninstall Manager To access the Uninstall Manager you would do the following: Start HijackThis Click on the Config button Click on the Misc Tools button Click on the Open Uninstall Manager button. You will now be presented with a screen similar to the one below: http://www.bleepingcomputer.com/tuto...42.html#uniman http://www.bleepingcomputer.com/tuto...utorial42.html This folder: C:\HJT\HijackThis.exe <<< return here and rename HijackThis.exe, call it unskilled.exe or whatever. Vundo may show up after a reboot. Please download F-Secure BlackLight Beta: https://europe.f-secure.com/exclude/...ht/index.shtml Save it to its own folder in the Desktop Double-click blbeta.exe to run the program Click : Scan A list of all items found is created The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers). Please provide the log created by BlackLight in your next reply. (Do not remove anything, most if not all files are valid) Restart the computer and post the uninstall list, the results of the BlackLight scan, a new HJT log and any comments you think will help. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

2007-03-24, 02:25	#3
unskilled Junior Member Join Date: Mar 2007 Posts: 13	panda scan Incident Status Location Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.advertising.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.2o7.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.adtech.de/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt[.azjmp.com/] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\Process.exe Spyware:Spyware/SafeSurf Not disinfected C:\EHD\H\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll] Virus:Generic Trojan Not disinfected C:\EHD\H\Downloads\kugoo.exe[KUGOU_YASSIST.EXE][wmpns.dll] Virus:Generic Trojan Not disinfected G:\System Volume Information\_restore{0BBCEA33-00FC-4CB0-A790-F29D4AB84647}\RP74\A0017143.EXE[wmpns.dll] Spyware:Spyware/SafeSurf Not disinfected H:\Downloads\evillyrics.zip[setup.exe][2¨¹?\ExtractDLL.dll] Virus:Generic Trojan Not disinfected H:\Downloads\KUGOO.EXE[KUGOU_YASSIST.EXE][wmpns.dll] HJT log file Logfile of HijackThis v1.99.1 Scan saved at 11:57:59 AM, on 24/03/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe H:\Downloads\New Folder\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file) O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe" O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ê¹ÓÃKuGoo3ÏÂÔØ(&K) - C:\PROGRA~1\KuGoo3\KuGoo3DownX.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

2007-03-24, 02:58	#6
unskilled Junior Member Join Date: Mar 2007 Posts: 13	oops sorry, thought it was with the rest SmitFraudFix v2.153 Scan done at 12:02:55.03, 24/03/2007 Sat Run from C:\Program Files\Mozilla Firefox\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

2007-03-24, 14:52	#8
unskilled Junior Member Join Date: Mar 2007 Posts: 13	yes there are 3 users on this computer the virus is a trojan.vundo, which reappears everytime i reboot the computer. norton detects and clears it. it comes in the form of a .dll file, and the letters are always random. about msn, when i open it, i lose control of the mouse. if i log in, it will automatically open up chat windows, and from what other people say, it sends a meg with a link, probably to the infection site. i think this is how my sister got the virus in the first place. 7) Uninstall Manager >>> Open Hijackthis. wheres the uninstall manager?

2007-03-24, 23:48	#10
unskilled Junior Member Join Date: Mar 2007 Posts: 13	AVG scan report --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 8:22:01 AM 25/03/2007 + Scan result: C:\Program Files\Mozilla Firefox\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : No action taken. C:\System Volume Information\_restore{6777EED4-46BD-4AE5-A0E4-09B4AF1ECD7D}\RP99\A0020807.exe -> Adware.SmiUpdate : No action taken. :mozilla.105:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.164:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.38:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.39:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.40:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.41:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.100:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.104:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.94:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.95:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.96:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.98:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.99:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.232:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.233:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Adtech : No action taken. :mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.31:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Advertising : No action taken. :mozilla.63:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Atdmt : No action taken. :mozilla.211:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.212:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.213:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.214:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.215:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.216:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.37:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken. :mozilla.222:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.223:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.224:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.225:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.115:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.116:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.117:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.123:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken. :mozilla.122:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Paypal : No action taken. :mozilla.151:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.152:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.153:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.154:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.65:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.66:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.67:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.34:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.35:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.79:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.80:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.81:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.82:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.83:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.84:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken. :mozilla.217:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken. :mozilla.240:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.69:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.72:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.73:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.74:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.75:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.77:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.78:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\cewqzcd0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. C:\My Documents\My Received Files\MSPro v3a.zip/MSPro v3a/MSPro.exe -> Trojan.Small : No action taken. C:\My Documents\My Received Files\MSPro v3a.zip/MSPro v3a/TestPad.exe -> Trojan.Small : No action taken. C:\My Documents\sidney\dunno\MSPro v3a.zip/MSPro v3a/MSPro.exe -> Trojan.Small : No action taken. C:\My Documents\sidney\dunno\MSPro v3a.zip/MSPro v3a/TestPad.exe -> Trojan.Small : No action taken. ::Report end uninstall list Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Photoshop 7.0 Adobe Reader 8 Apple Software Update ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver ATI HydraVision AVG Anti-Spyware 7.5 Azureus BA Installer CASIO ClassPad Manager ClassPad 300 DivX DivX Player DVD Shrink 3.2 EPSON CardMonitor EPSON PhotoQuicker3.5 EPSON PhotoStarter3.1 EPSON PRINT Image Framer Tool2.1 EPSON Printer Software EPSON Scan Tool Light 1.0 EPSON Web-To-Page ESCX1500 Reference Guide ESCX1500 Software Guide EvilLyrics Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Hamachi 1.0.1.5 High Definition Audio Driver Package - KB888111 HijackThis 1.99.1 i-Cool Inspiration 8 iTunes J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 Japanese Fonts Support For Adobe Reader 8 LimeWire 4.12.6 LiveUpdate 3.0 (Symantec Corporation) Macromedia Shockwave Player Messenger Plus! Live Microsoft .NET Framework 2.0 Microsoft Office Professional Edition 2003 Microsoft Text-to-Speech Engine 4.0 (English) Microsoft Windows Journal Viewer MindManager 2002 Mozilla Firefox (2.0.0.3) Neopets Nero 6 Ultra Edition Panda ActiveScan PeerGuardian 2.0 PIF DESIGNER2.1 PowerDVD PowerQuest PartitionMagic 8.0 PPStream QuickTime Real Alternative 1.48 REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek High Definition Audio Driver ScanToWeb SmartSound Quicktracks Plugin Sony Picture Utility Sony USB Driver Spybot - Search & Destroy 1.4 StyleXP (remove only) Symantec AntiVirus Ulead VideoStudio 10 Winamp (remove only) Windows Live Messenger Windows Live OneCare safety scanner Windows Live Sign-in Assistant Windows Media Format Runtime WinRAR archiver blacklight scan found nothing.