PDA

View Full Version : Google Redirect Problem



Prometheus
2007-02-11, 05:38
Hi Everyone,

I think my computer is infected with spyware or malware, At first, there was a pop-up alert on virus trojan infected and the homepage always go to protectionwarning.com. Then, I surfed the net to find a way to fix it. I deleted some program I accidentally d/l from the net eg. VideoActive X (or something name like this), Internet Security Guideline, Internet Security Add-on. Then, I can get my homepage back.

However, I found another problem. When I search Google and click on the link provided by GG. It always (not every time but almost every first 2-3 time that I try to follow such link) redirect to other website such as Robogold.Biz, Hrena.Com, aicse.com etc. I try to scan my com with Spybot S&D and fix such problem but it still exist. I then surf the net again and found this website. I registered and would like to ask for your help, please.

Here is my HTJ log file prior I connect to the internet

Logfile of HijackThis v1.99.1
Scan saved at 10:19:33, on 11/2/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MOJ\SearchS.exe
C:\MOJ\SUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.th
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.th
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.msn.co.th
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tiscoetrade.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ServerDB] C:\MOJ\ServerDB.exe
O4 - HKLM\..\Run: [SearchS] C:\MOJ\SearchS.exe
O4 - HKLM\..\Run: [SUpdate] C:\MOJ\SUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/play/ThaiGameStart.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Everything seem to look normal for me (however, I'm not so good at computer).

But after I connect to the net. I run HTJ again and its log file show like this.

Logfile of HijackThis v1.99.1
Scan saved at 10:21:19, on 11/2/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MOJ\SearchS.exe
C:\MOJ\SUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.th
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.th
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.msn.co.th
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tiscoetrade.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ServerDB] C:\MOJ\ServerDB.exe
O4 - HKLM\..\Run: [SearchS] C:\MOJ\SearchS.exe
O4 - HKLM\..\Run: [SUpdate] C:\MOJ\SUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/play/ThaiGameStart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 85.255.116.38 85.255.112.95
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I do it many times and notice that this line always appears after I connect to the net

"O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 85.255.116.38 85.255.112.95"

I guess it should relate to my problem right? but I don't know what to do with it.

I also d/l fixwareout and already run it. Here is a report.


Fixwareout
Last edited 1/30/2007
Post this report in the forums please
...
Prerun check
ปปปปป HKLM run and Winlogon System values

ปปปปป System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

ปปปปป Misc files.

ปปปปป Checking for older varients.

ปปปปป Postrun check
ปปปปป HKLM run
ปปปปป Winlogon System value
"system"=""
ปปปปป

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
ปปปปป
ปปปปป Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ServerDB"="C:\\MOJ\\ServerDB.exe"
"SearchS"="C:\\MOJ\\SearchS.exe"
"SUpdate"="C:\\MOJ\\SUpdate.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

Hosts file was reset, If you use a custom hosts file please replace it

Please help me with this problem. Thanks in advance.

Prometheus

Angelfire777
2007-02-11, 13:27
Hi, welcome to Safer Networking Forums!

I noticed that you are running 2 Antivirus at the same time..Running 2 antivirus at the same time could cause your computer to slow down..Moreover, it will only reduce your machine's overall security. I recommend that you disable one of your AntiVirus products to avoid conflicts..

*Do you know anything about this folder:

C:\MOJ

If not, please go inside that folder and find a file then right click it and check its properties..Post back with the properties of the file..
________________________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 85.255.116.38 85.255.112.95

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


*Now lets check some settings on your system.
(2000/XP) Only

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category, otherwise double click on Network Connections.
Then right click on your default connection, usually Local Area Connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems


Next go to Start > Run > type cmd and hit OK

type ipconfig /flushdns

then hit enter, type exit hit enter.
(that space between g and / is needed)

Reboot.
____________________________________

Please download SmitfraudFix (http://72.232.135.12/siri/SmitfraudFix.php) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run any other options except for Option # 1.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Prometheus
2007-02-11, 17:04
Dear Angelfire777,

First of all, thank you very much for your help. I really appreciate.

1. You said that you see I have 2 antivirus program running at the same time. I guess it must be AVG 7.5 and Symantec Antivirus. I think hey were installed by my friend and my brother because, as I said, I'm not good at computer. You suggested that either one should be disabled. Please advise which one should be the remaining one and how to disable the chosen one.

2. I done everything you suggest in your reply. Here is report from SmitfraudFix.

SmitFraudFix v2.141

Scan done at 21:43:30.81, Sun 02/11/2007
Run from D:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

ปปปปปปปปปปปปปปปปปปปปปปปป hosts


ปปปปปปปปปปปปปปปปปปปปปปปป C:\


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\Web


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Amp


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Amp\Application Data


ปปปปปปปปปปปปปปปปปปปปปปปป Start Menu


ปปปปปปปปปปปปปปปปปปปปปปปป C:\DOCUME~1\AMP\FAVORI~1


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Program Files


ปปปปปปปปปปปปปปปปปปปปปปปป Corrupted keys


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


ปปปปปปปปปปปปปปปปปปปปปปปป Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"



ปปปปปปปปปปปปปปปปปปปปปปปป AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


ปปปปปปปปปปปปปปปปปปปปปปปป Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


ปปปปปปปปปปปปปปปปปปปปปปปป pe386-msguard-lzx32-huy32


ปปปปปปปปปปปปปปปปปปปปปปปป Scanning wininet.dll infection


ปปปปปปปปปปปปปปปปปปปปปปปป End

3. For C:/MOJ, I guess it's part of the program for search of supreme court judgment of Thailand (I live in Bangkok and work as a legal advisor) which I installed a month ago. I've got a copy of CD from my colleauge which copy from the original CD from the Ministry of Justice (of course, it's MOJ). Do you think it has anything to do with my problem.

Thanks again in advance.

Prometheus

Angelfire777
2007-02-12, 14:11
You said that you see I have 2 antivirus program running at the same time. I guess it must be AVG 7.5 and Symantec Antivirus. I think hey were installed by my friend and my brother because, as I said, I'm not good at computer. You suggested that either one should be disabled. Please advise which one should be the remaining one and how to disable the chosen one.

It's your choice which Antivirus you want to disable. When you have decided, please notify me which you have decided to turn off on your next post so I can give you instructions.


For C:/MOJ, I guess it's part of the program for search of supreme court judgment of Thailand (I live in Bangkok and work as a legal advisor) which I installed a month ago. I've got a copy of CD from my colleauge which copy from the original CD from the Ministry of Justice (of course, it's MOJ). Do you think it has anything to do with my problem.

Not at all..The reason I asked was I can't find any information about that folder..Thanks for checking it out for me.
_________________________________

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!


*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.
______________________________

Reboot into Safe Mode

To enter Safe Mode..

Click start > turn off computer > Restart > Tap F8 key just before Windows starts to load, > this will bring up a menu > use your keyboard to scroll to Safe Mode> hit enter
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
______________________________

Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
______________________________
Please post:
c:\rapport.txt
AVG AntiSpyware log
A new HijackThis log

Prometheus
2007-02-13, 16:00
Dear Angelfire777,

Thank you again for your help.

1. OK. I think I'd like to choose AVG 7.5 in order to go along with AVG Anti Spyware. So, please tell me how to disable Symantec Antivirus.

2. Here is SmitFraud-C report.
SmitFraudFix v2.141

Scan done at 22:47:38.70, Mon 02/12/2007
Run from D:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

ปปปปปปปปปปปปปปปปปปปปปปปป SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"


ปปปปปปปปปปปปปปปปปปปปปปปป Killing process

3. A new HJT log file.
Logfile of HijackThis v1.99.1
Scan saved at 2:02:41, on 13/2/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MOJ\SearchS.exe
C:\MOJ\SUpdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.msn.co.th
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ServerDB] C:\MOJ\ServerDB.exe
O4 - HKLM\..\Run: [SearchS] C:\MOJ\SearchS.exe
O4 - HKLM\..\Run: [SUpdate] C:\MOJ\SUpdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/play/ThaiGameStart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 203.144.207.29 203.144.207.49
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

4. For AVG Antispyware, when the scan finish, you said that:-
"If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important)."

I don't see any "Apply all actions" for me to select. It just go to report page. Is this OK? However, here is log file from AVG Anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:44:41 13/2/2550

+ Scan result:



HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Adware.Alexa : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Adware.Alexa : Ignored.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Adware.Alexa : Ignored.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Adware.Alexa : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007856.dll -> Adware.AlexaBar : Ignored.
D:\Documents and Settings\Amp\Local Settings\Temporary Internet Files\Content.IE5\GPO7C9AX\AlexaInstaller[1].exe -> Adware.AlexaBar : Ignored.
D:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007858.dll -> Adware.AlexaBar : Ignored.
D:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007859.dll -> Adware.AlexaBar : Ignored.
D:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP9\A0006498.exe -> Adware.AlexaBar : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP10\A0007805.exe -> Adware.AntiVermins : Ignored.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Ignored.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} -> Adware.TitanShieldAntispyware : Ignored.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} -> Adware.TitanShieldAntispyware : Ignored.
D:\Softwares\Office2003\-= KeyGen =-\Win2K3-KeyGen -> Backdoor.Tagent.e : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP9\A0007656.EXE -> Downloader.Zlob.bni : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007857.dll -> Not-A-Virus.Hoax.Win32.Renos.NAO : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007925.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007922.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Ignored.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007855.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Ignored.
D:\WinME & Program\-- Multimedia --\WMV.to.AVI.MPEG.VCD.SVCD.DVD.Converter.v1.3.8\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@adtech[2].txt -> TrackingCookie.Adtech : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@ehg-liverpoolfctv.hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@ehg-speakeasy.hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@serving-sys[1].txt -> TrackingCookie.Serving-sys : Ignored.
D:\Documents and Settings\Amp\Cookies\amp@statcounter[1].txt -> TrackingCookie.Statcounter : Ignored.
D:\WinME & Program\-- Utilities Program --\Karaoke Builder v2.0.03\crack\fa-kb20crk.exe -> Trojan.Proxcrak.A : Ignored.


::Report end

As usual, thanks again in advance for your greatest help.

Prometheus

Angelfire777
2007-02-15, 11:11
OK. I think I'd like to choose AVG 7.5 in order to go along with AVG Anti Spyware. So, please tell me how to disable Symantec Antivirus.

It's really ok even if you run Norton with AVG antispyware..

Follow the instructions here to disable Norton Antivirus: http://service1.symantec.com/SUPPORT/nav.nsf/docid/1997121131456


I don't see any "Apply all actions" for me to select. It just go to report page. Is this OK? However, here is log file from AVG Anti-spyware

Can you try the scan once more in safe mode and this time, for each infection detected, click the option to quarantine or remove the infected files..Without hitting the "apply all actions" button, AVG Antispyware doesn't clean anything at all..

Prometheus
2007-02-16, 17:39
Dear Angelfire777,

I think I already found reason why I don't see "Apply all action". In the "setting" tab, at first, it was not set to action of "delete". When I select for delete, I see "Apply all action". Here is log file from AVG Antispyware.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:40:24 16/2/2550

+ Scan result:



HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Cleaned.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Cleaned.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Adware.Alexa : Cleaned.
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Adware.Alexa : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Adware.Alexa : Cleaned.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Adware.Alexa : Cleaned.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Adware.Alexa : Cleaned.
D:\Documents and Settings\Amp\Local Settings\Temporary Internet Files\Content.IE5\GPO7C9AX\AlexaInstaller[1].exe -> Adware.AlexaBar : Cleaned.
D:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP9\A0006498.exe -> Adware.AlexaBar : Cleaned.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP10\A0007805.exe -> Adware.AntiVermins : Cleaned.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} -> Adware.TitanShieldAntispyware : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} -> Adware.TitanShieldAntispyware : Cleaned.
HKU\S-1-5-21-73586283-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Adware.TitanShieldAntispyware : Cleaned.
D:\Softwares\Office2003\-= KeyGen =-\Win2K3-KeyGen -> Backdoor.Tagent.e : Cleaned.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP9\A0007656.EXE -> Downloader.Zlob.bni : Cleaned.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007925.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned.
C:\System Volume Information\_restore{8A264300-9DBD-4C6F-BD8C-B083598634E2}\RP11\A0007922.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned.
D:\WinME & Program\-- Multimedia --\WMV.to.AVI.MPEG.VCD.SVCD.DVD.Converter.v1.3.8\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\Documents and Settings\Amp\Cookies\amp@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Amp\Cookies\amp@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@ehg-liverpoolfctv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@ehg-speakeasy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Amp\Cookies\amp@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
D:\Documents and Settings\Amp\Cookies\amp@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
D:\WinME & Program\-- Utilities Program --\Karaoke Builder v2.0.03\crack\fa-kb20crk.exe -> Trojan.Proxcrak.A : Cleaned.


::Report end

Please have a look at it again and give me your opinion.

Thanks

Angelfire777
2007-02-17, 10:18
Hi,

did you download the following cracks? If so, please do not download or use cracks..Using these is a sure way to get your system very infected with malware..


D:\Softwares\Office2003\-= KeyGen =-\Win2K3-KeyGen
D:\WinME & Program\-- Multimedia --\WMV.to.AVI.MPEG.VCD.SVCD.DVD.Converter.v1.3.8\Patch.exe
D:\WinME & Program\-- Utilities Program --\Karaoke Builder v2.0.03\crack\fa-kb20crk.exe

Please post a fresh HijackThis log and a description on how your machine is running..

Prometheus
2007-02-18, 03:32
Dear Angelfire777,

1. For your questions, again, I think it was installed by my brother or my friend. In fact, I have never used such program (karaoke builder etc.).

2. Here is the latest HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 8:29:01, on 18/2/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MOJ\SearchS.exe
C:\MOJ\SUpdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.msn.co.th
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ServerDB] C:\MOJ\ServerDB.exe
O4 - HKLM\..\Run: [SearchS] C:\MOJ\SearchS.exe
O4 - HKLM\..\Run: [SUpdate] C:\MOJ\SUpdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/play/ThaiGameStart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 203.144.207.29 203.144.207.49
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks for your kindness.

Prometheus

Angelfire777
2007-02-18, 12:04
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

Reboot and post a fresh HijackThis along with a description on how your machine is running.

Prometheus
2007-02-23, 19:06
Dear Angelfire777,

Sorry for my late response, I'm quite busy during the past few day. Herebelow is a new HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 0:00:44, on 24/2/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\MOJ\SearchS.exe
C:\MOJ\SUpdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.msn.co.th
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ServerDB] C:\MOJ\ServerDB.exe
O4 - HKLM\..\Run: [SearchS] C:\MOJ\SearchS.exe
O4 - HKLM\..\Run: [SUpdate] C:\MOJ\SUpdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23D236EA-B936-4B2B-900C-D0E8DBBF9570} (BugsGameStarts Class) - http://audition.playpark.com/login/play/ThaiGameStart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8416CDBE-388F-476C-A205-0833F4FC2930}: NameServer = 203.144.207.29 203.144.207.49
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

My computer are running OK. The redirect problem seem to be disappear. Do you think my computer is clean now?

Angelfire777
2007-02-24, 11:13
Yes it looks ok now.

This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://http//www.sunbelt-software.com/Kerio-Download.cfm)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Angelfire777
2007-02-24, 11:14
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.