View Full Version : spyware that needs removal
My computer is displaying pages from "securityonsite.com" and "savetheinformation.com" without prompting, with a variety of windows error messages and a yellow triangle with an exclamation point inside blinking. i have tried adaware and installed norton systemworks, but the spyware is eluding those applications. I attempted to use spybot, and it did install and remove a few programs but i can't get it to open and download the updates or see the log. I also tried the online scanner (Karpinsky?) but it failed to properly install after multiple attempts. I was able to use Hijack to get the following log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:28 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=0&fs=1&fsa=1&fsat=1296000&_lang=EN&lc=1033
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\DellSupport\GTCoach\plugin\ToolBar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pmqhyvyd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\kliyefcs.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\DellSupport\GTCoach\plugin\ToolBar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\DellSupport\GTCoach\plugin\ToolBar.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://pak02.pictures.aol.com/ygp/aol/themes/307/Background.jpg?
O24 - Desktop Component 1: (no name) - C:\Program Files\MSN Gaming Zone\fsozyqo.html
--
End of file - 10824 bytes
I appreciate your help
Julie
pskelley
2007-10-18, 03:20
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post the C:\rapport.txt only
Thanks
SmitFraudFix v2.240
Scan done at 0:12:55.76, Fri 10/19/2007
Run from C:\Documents and Settings\Pearl Edwards\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pearl Edwards
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pearl Edwards\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PEARLE~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://pak02.pictures.aol.com/ygp/aol/themes/307/Background.jpg?"
"SubscribedURL"="http://pak02.pictures.aol.com/ygp/aol/themes/307/Background.jpg?"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\fsozyqo.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 72.45.32.34
DNS Server Search Order: 72.45.32.37
HKLM\SYSTEM\CCS\Services\Tcpip\..\{31F6AB54-A2B4-4019-8616-A9ECFFE53C05}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS1\Services\Tcpip\..\{31F6AB54-A2B4-4019-8616-A9ECFFE53C05}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS2\Services\Tcpip\..\{31F6AB54-A2B4-4019-8616-A9ECFFE53C05}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2007-10-19, 10:09
Thanks for returning your information, follow these directions:
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
1) Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
2) Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
3) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HijackThis.exe, call it julieum.exe or whatever you wish. Restart the computer and post the
C:\rapport.txt from Smitfraudfix and a new HJT log.
Thanks
I initially tried to follow your instructions but was not able to access Smitfraud.exe from the safe mode of my computer. I attempted to format the c drive but was not allowed to do that either. I had to boot from c and i then did a "clean install" of windows xp. I was not allowed to boot from the cd. My computer was initially clean but after a few hours it reloaded its previous settings, from before I wiped the drive. It now contains all the previous files. I downloaded spybot, hijackthis and smitfraud again. I ran spybot first, and several spyware programs were detected and repaired. I think started in safe mode and ran smitfraud.
the report is so long it doesnt fit in one screen so im going to have to post it in sections
SmitFraudFix v2.240
Scan done at 22:13:47.82, Sun 10/21/2007
Run from C:\Documents and Settings\Administrator.JULIE-18041C7FA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com (http://www.007guard.com)
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com (http://www.008k.com)
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com (http://www.00hq.com)
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com (http://www.032439.com)
127.0.0.1 1001-search.info
127.0.0.1 www.1001-search.info (http://www.1001-search.info)
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com (http://www.100888290cs.com)
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com (http://www.100sexlinks.com)
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com (http://www.10sek.com)
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com (http://www.123topsearch.com)
127.0.0.1 132.com
127.0.0.1 www.132.com (http://www.132.com)
127.0.0.1 136136.net
127.0.0.1 www.136136.net (http://www.136136.net)
127.0.0.1 139mm.com
127.0.0.1 www.139mm.com (http://www.139mm.com)
127.0.0.1 163ns.com
127.0.0.1 www.163ns.com (http://www.163ns.com)
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 1800searchonline.com
127.0.0.1 www.1800searchonline.com (http://www.1800searchonline.com)
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com (http://www.180searchassistant.com)
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com (http://www.180solutions.com)
127.0.0.1 181.365soft.info
127.0.0.1 www.181.365soft.info (http://www.181.365soft.info)
127.0.0.1 1987324.com
127.0.0.1 www.1987324.com (http://www.1987324.com)
127.0.0.1 1-domains-registrations.com
127.0.0.1 www.1-domains-registrations.com (http://www.1-domains-registrations.com)
127.0.0.1 1-extreme.biz
127.0.0.1 www.1-extreme.biz (http://www.1-extreme.biz)
127.0.0.1 1sexparty.com
127.0.0.1 www.1sexparty.com (http://www.1sexparty.com)
127.0.0.1 1stantivirus.com
127.0.0.1 www.1stantivirus.com (http://www.1stantivirus.com)
127.0.0.1 1stpagehere.com
127.0.0.1 www.1stpagehere.com (http://www.1stpagehere.com)
127.0.0.1 1stsearchportal.com
127.0.0.1 www.1stsearchportal.com (http://www.1stsearchportal.com)
127.0.0.1 2.82211.net
127.0.0.1 www.2006ooo.com (http://www.2006ooo.com)
127.0.0.1 2007-download.com
127.0.0.1 www.2007-download.com (http://www.2007-download.com)
127.0.0.1 2020search.com
127.0.0.1 www.2020search.com (http://www.2020search.com)
127.0.0.1 20x2p.com
127.0.0.1 24.365soft.info
127.0.0.1 www.24.365soft.info (http://www.24.365soft.info)
127.0.0.1 24-7pharmacy.info
127.0.0.1 www.24-7pharmacy.info (http://www.24-7pharmacy.info)
127.0.0.1 24-7searching-and-more.com
127.0.0.1 www.24-7searching-and-more.com (http://www.24-7searching-and-more.com)
127.0.0.1 24teen.com
127.0.0.1 www.24teen.com (http://www.24teen.com)
127.0.0.1 2every.net
127.0.0.1 www.2every.net (http://www.2every.net)
127.0.0.1 2ndpower.com
127.0.0.1 2search.com
127.0.0.1 www.2search.com (http://www.2search.com)
127.0.0.1 2search.org
127.0.0.1 www.2search.org (http://www.2search.org)
127.0.0.1 2squared.com
127.0.0.1 www.2squared.com (http://www.2squared.com)
127.0.0.1 3322.org
127.0.0.1 www.3322.org (http://www.3322.org)
127.0.0.1 365soft.info
127.0.0.1 36site.com
127.0.0.1 www.36site.com (http://www.36site.com)
127.0.0.1 3721.com
127.0.0.1 39-93.com
127.0.0.1 3abetterinternet.com
127.0.0.1 www.3abetterinternet.com (http://www.3abetterinternet.com)
127.0.0.1 3bay.it
127.0.0.1 www.3bay.it (http://www.3bay.it)
127.0.0.1 3ebay.it
127.0.0.1 www.3ebay.it (http://www.3ebay.it)
127.0.0.1 404dns.com
127.0.0.1 www.404dns.com (http://www.404dns.com)
127.0.0.1 4199.com
127.0.0.1 www.4199.com (http://www.4199.com)
127.0.0.1 4corn.net
127.0.0.1 www.4corn.net (http://www.4corn.net)
127.0.0.1 4ebay.it
127.0.0.1 www.4ebay.it (http://www.4ebay.it)
127.0.0.1 4klm.com
127.0.0.1 4repubblica.it
127.0.0.1 www.4repubblica.it (http://www.4repubblica.it)
127.0.0.1 4softget.com
127.0.0.1 www.4softget.com (http://www.4softget.com)
127.0.0.1 5iscali.it
127.0.0.1 www.5iscali.it (http://www.5iscali.it)
127.0.0.1 5repubblica.it
127.0.0.1 www.5repubblica.it (http://www.5repubblica.it)
127.0.0.1 5starvideos.com
127.0.0.1 www.5starvideos.com (http://www.5starvideos.com)
127.0.0.1 5tiscali.it
127.0.0.1 www.5tiscali.it (http://www.5tiscali.it)
127.0.0.1 5zgmu7o20kt5d8yq.com
127.0.0.1 www.5zgmu7o20kt5d8yq.com (http://www.5zgmu7o20kt5d8yq.com)
127.0.0.1 6iscali.it
127.0.0.1 www.6iscali.it (http://www.6iscali.it)
127.0.0.1 6sek.com
127.0.0.1 www.6sek.com (http://www.6sek.com)
127.0.0.1 6tiscali.it
127.0.0.1 www.6tiscali.it (http://www.6tiscali.it)
127.0.0.1 7322.com
127.0.0.1 www.7322.com (http://www.7322.com)
127.0.0.1 75tz.com
127.0.0.1 777search.com
127.0.0.1 www.777search.com (http://www.777search.com)
127.0.0.1 777top.com
127.0.0.1 www.777top.com (http://www.777top.com)
127.0.0.1 7939.com
127.0.0.1 www.7939.com (http://www.7939.com)
127.0.0.1 7search.com
127.0.0.1 www.7search.com (http://www.7search.com)
127.0.0.1 80gw6ry3i3x3qbrkwhxhw.032439.com
127.0.0.1 82211.net
127.0.0.1 8866.org
127.0.0.1
127.0.0.1
127.0.0.1 8ad.com
127.0.0.1 www.8ad.com (http://www.8ad.com)
127.0.0.1 9505.com
127.0.0.1 www.9505.com (http://www.9505.com)
127.0.0.1 971searchbox.com
127.0.0.1 www.971searchbox.com (http://www.971searchbox.com)
127.0.0.1 a.bestmanage.org
127.0.0.1 aaasexypics.com
127.0.0.1 aaawebfinder.com
127.0.0.1 www.aaawebfinder.com (http://www.aaawebfinder.com)
127.0.0.1 aavc.com
127.0.0.1 abc-find.info
127.0.0.1 www.abc-find.info (http://www.abc-find.info)
127.0.0.1 abetterinternet.com
127.0.0.1 www.abetterinternet.com (http://www.abetterinternet.com)
127.0.0.1 abnetsoft.info
127.0.0.1 www.abnetsoft.info (http://www.abnetsoft.info)
127.0.0.1 aboutclicker.com
127.0.0.1 www.aboutclicker.com (http://www.aboutclicker.com)
127.0.0.1 abrp.net
127.0.0.1 www.abrp.net (http://www.abrp.net)
127.0.0.1 absolutee.com
127.0.0.1 www.absolutee.com (http://www.absolutee.com)
127.0.0.1 abyssmedia.com
127.0.0.1 www.abyssmedia.com (http://www.abyssmedia.com)
127.0.0.1 ac66.cn
127.0.0.1 www.ac66.cn (http://www.ac66.cn)
127.0.0.1 access.Navinetwork.com
127.0.0.1 access.rapid-pass.net
127.0.0.1 accessactivexvideo.com
127.0.0.1 www.accessactivexvideo.com (http://www.accessactivexvideo.com)
127.0.0.1 accessclips.com
127.0.0.1 www.accessclips.com (http://www.accessclips.com)
127.0.0.1 access-dvd.com
127.0.0.1 www.access-dvd.com (http://www.access-dvd.com)
127.0.0.1 accesskeygenerator.com
127.0.0.1 www.accesskeygenerator.com (http://www.accesskeygenerator.com)
127.0.0.1 accessorygeeks.com
127.0.0.1 www.accessorygeeks.com (http://www.accessorygeeks.com)
127.0.0.1 accessthefuture.net
127.0.0.1 www.accessthefuture.net (http://www.accessthefuture.net)
127.0.0.1 accessvid.net
127.0.0.1 www.accessvid.net (http://www.accessvid.net)
127.0.0.1 acemedic.com
127.0.0.1 www.acemedic.com (http://www.acemedic.com)
127.0.0.1 ace-webmaster.com
127.0.0.1 www.ace-webmaster.com (http://www.ace-webmaster.com)
127.0.0.1 acjp.com
127.0.0.1 acrobat-2007.com
127.0.0.1 www.acrobat-2007.com (http://www.acrobat-2007.com)
127.0.0.1 acrobat-8.com
127.0.0.1 www.acrobat-8.com (http://www.acrobat-8.com)
127.0.0.1 acrobat-center.com
127.0.0.1 www.acrobat-center.com (http://www.acrobat-center.com)
127.0.0.1 acrobat-hq.com
127.0.0.1 www.acrobat-hq.com (http://www.acrobat-hq.com)
127.0.0.1 acrobatreader-8.com
127.0.0.1 www.acrobatreader-8.com (http://www.acrobatreader-8.com)
127.0.0.1 acrobat-reader-8.de
127.0.0.1 www.acrobat-reader-8.de (http://www.acrobat-reader-8.de)
127.0.0.1 acrobat-stop.com
127.0.0.1 www.acrobat-stop.com (http://www.acrobat-stop.com)
127.0.0.1 actionbreastcancer.org
127.0.0.1 www.actionbreastcancer.org (http://www.actionbreastcancer.org)
127.0.0.1 activesearcher.info
127.0.0.1 www.activesearcher.info (http://www.activesearcher.info)
127.0.0.1 activexaccessobject.com
127.0.0.1 www.activexaccessobject.com (http://www.activexaccessobject.com)
127.0.0.1 activexaccessvideo.com
127.0.0.1 www.activexaccessvideo.com (http://www.activexaccessvideo.com)
127.0.0.1 activexemedia.com
127.0.0.1 www.activexemedia.com (http://www.activexemedia.com)
127.0.0.1 activexmediaobject.com
127.0.0.1 www.activexmediaobject.com (http://www.activexmediaobject.com)
127.0.0.1 activexmediapro.com
127.0.0.1 www.activexmediapro.com (http://www.activexmediapro.com)
127.0.0.1 activexmediasite.com
127.0.0.1 www.activexmediasite.com (http://www.activexmediasite.com)
127.0.0.1 activexmediasoftware.com
127.0.0.1 www.activexmediasoftware.com (http://www.activexmediasoftware.com)
127.0.0.1 activexmediasource.com
127.0.0.1 www.activexmediasource.com (http://www.activexmediasource.com)
127.0.0.1 activexmediatool.com
127.0.0.1 www.activexmediatool.com (http://www.activexmediatool.com)
127.0.0.1 activexmediatour.com
127.0.0.1 www.activexmediatour.com (http://www.activexmediatour.com)
127.0.0.1 activexsoftwares.com
127.0.0.1 www.activexsoftwares.com (http://www.activexsoftwares.com)
127.0.0.1 activexsource.com
127.0.0.1 www.activexsource.com (http://www.activexsource.com)
127.0.0.1 activexupdate.com
127.0.0.1 www.activexupdate.com (http://www.activexupdate.com)
127.0.0.1 activexvideo.com
127.0.0.1 www.activexvideo.com (http://www.activexvideo.com)
127.0.0.1 activexvideotool.com
127.0.0.1 www.activexvideotool.com (http://www.activexvideotool.com)
127.0.0.1 ad.marketingsector.com
127.0.0.1 www.ad.marketingsector.com (http://www.ad.marketingsector.com)
127.0.0.1 ad.mokead.com
127.0.0.1 www.ad.mokead.com (http://www.ad.mokead.com)
127.0.0.1 ad.yieldmanager.com
127.0.0.1 www.ad.yieldmanager.com (http://www.ad.yieldmanager.com)
127.0.0.1 ad25.com
127.0.0.1 ad45.com
127.0.0.1 ad77.com
127.0.0.1 ad86.com
127.0.0.1 adamsupportgroup.org
127.0.0.1 www.adamsupportgroup.org (http://www.adamsupportgroup.org)
127.0.0.1 adarmor.com
127.0.0.1 www.adarmor.com (http://www.adarmor.com)
127.0.0.1 adasearch.com
127.0.0.1 www.adasearch.com (http://www.adasearch.com)
127.0.0.1 adaware.cc
127.0.0.1 adawarenow.com
127.0.0.1 www.adawarenow.com (http://www.adawarenow.com)
127.0.0.1 addictivetechnologies.com
127.0.0.1 www.addictivetechnologies.com (http://www.addictivetechnologies.com)
127.0.0.1 addictivetechnologies.net
127.0.0.1 www.addictivetechnologies.net (http://www.addictivetechnologies.net)
127.0.0.1 add-manager.com
127.0.0.1 www.add-manager.com (http://www.add-manager.com)
127.0.0.1 adgate.info
127.0.0.1 www.adgate.info (http://www.adgate.info)
127.0.0.1 adipics.com
127.0.0.1 www.adipics.com (http://www.adipics.com)
127.0.0.1 admin2cash.biz
127.0.0.1 www.admin2cash.biz (http://www.admin2cash.biz)
127.0.0.1 adnet-plus.com
127.0.0.1 adobe-download-now.com
127.0.0.1 adobe-downloads.com
127.0.0.1 www.adobe-downloads.com (http://www.adobe-downloads.com)
127.0.0.1 adobe-reader-8.fr
127.0.0.1 www.adobe-reader-8.fr (http://www.adobe-reader-8.fr)
127.0.0.1 adprotect.com
127.0.0.1 www.adprotect.com (http://www.adprotect.com)
127.0.0.1 ads.centralmedia.ws
127.0.0.1 ads.k8l.info
127.0.0.1 ads.kmpads.com
127.0.0.1 ads.marketingsector.com
127.0.0.1 ads.searchingbooth.com
127.0.0.1 ads.z-quest.com
127.0.0.1 ads183.com
127.0.0.1 www.ads183.com (http://www.ads183.com)
127.0.0.1 adscontex.com
127.0.0.1 www.adscontex.com (http://www.adscontex.com)
127.0.0.1 adservices1.enhance.com
127.0.0.1 www.adservices1.enhance.com (http://www.adservices1.enhance.com)
127.0.0.1 adservs.com
127.0.0.1 adsextend.net
127.0.0.1 www.adsextend.net (http://www.adsextend.net)
127.0.0.1 adshttp.com
127.0.0.1 www.adshttp.com (http://www.adshttp.com)
127.0.0.1 adsonwww.com
127.0.0.1 www.adsonwww.com (http://www.adsonwww.com)
127.0.0.1 adspics.com
127.0.0.1 www.adspics.com (http://www.adspics.com)
127.0.0.1 adtrak.net
127.0.0.1 www.adtrak.net (http://www.adtrak.net)
127.0.0.1 adtrgt.com
127.0.0.1 adult777search.info
127.0.0.1 www.adult777search.info (http://www.adult777search.info)
127.0.0.1 adultan.com
127.0.0.1 www.adultan.com (http://www.adultan.com)
127.0.0.1 adult-engine-search.com
127.0.0.1 www.adult-engine-search.com (http://www.adult-engine-search.com)
127.0.0.1 adult-erotic-guide.net
127.0.0.1 www.adult-erotic-guide.net (http://www.adult-erotic-guide.net)
127.0.0.1 adultfilmsite.com
127.0.0.1 www.adultfilmsite.com (http://www.adultfilmsite.com)
127.0.0.1 adult-friends-finder.net
127.0.0.1 www.adult-friends-finder.net (http://www.adult-friends-finder.net)
127.0.0.1 adultgambling.org
127.0.0.1 adult-host.org
127.0.0.1 adulthyperlinks.com
127.0.0.1 www.adulthyperlinks.com (http://www.adulthyperlinks.com)
127.0.0.1 adultmovieplus.com
127.0.0.1 www.adultmovieplus.com (http://www.adultmovieplus.com)
127.0.0.1 adult-personal.us
127.0.0.1 adultsgames.net
127.0.0.1 adultsper.com
127.0.0.1 www.adultsper.com (http://www.adultsper.com)
127.0.0.1 adulttds.com
127.0.0.1 www.adulttds.com (http://www.adulttds.com)
127.0.0.1 adultzoneworld.com
127.0.0.1 www.adultzoneworld.com (http://www.adultzoneworld.com)
127.0.0.1 advcash.biz
127.0.0.1 www.advcash.biz (http://www.advcash.biz)
127.0.0.1 advert.exaccess.ru
127.0.0.1 advertisemoney.info
127.0.0.1 www.advertisemoney.info (http://www.advertisemoney.info)
127.0.0.1 advertising.paltalk.com
127.0.0.1 advertising-money.info
127.0.0.1 www.advertising-money.info (http://www.advertising-money.info)
127.0.0.1 ad-ware.cc
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 www.ad-w-a-r-e.com (http://www.ad-w-a-r-e.com)
127.0.0.1 a-d-w-a-r-e.com
127.0.0.1 www.a-d-w-a-r-e.com (http://www.a-d-w-a-r-e.com)
127.0.0.1 adwarebazooka.com
127.0.0.1 www.adwarebazooka.com (http://www.adwarebazooka.com)
127.0.0.1 adwarefinder.com
127.0.0.1 www.adwarefinder.com (http://www.adwarefinder.com)
127.0.0.1 adwareprotectionsite.com
127.0.0.1 www.adwareprotectionsite.com (http://www.adwareprotectionsite.com)
127.0.0.1 adwarepunisher.com
127.0.0.1 www.adwarepunisher.com (http://www.adwarepunisher.com)
127.0.0.1 aflgate.com
127.0.0.1 www.aflgate.com (http://www.aflgate.com)
127.0.0.1 africaspromise.org
127.0.0.1 agava.com
127.0.0.1 agava.ru
127.0.0.1 agentstudio.com
127.0.0.1 aginegialle.it
127.0.0.1 www.aginegialle.it (http://www.aginegialle.it)
127.0.0.1 www.aifind.info (http://www.aifind.info)
127.0.0.1 aifind.info
127.0.0.1 airtleworld.com
127.0.0.1 www.airtleworld.com (http://www.airtleworld.com)
127.0.0.1 aitalia.it
127.0.0.1 www.aitalia.it (http://www.aitalia.it)
127.0.0.1 akamai.downloadv3.com
127.0.0.1 aklitalia.it
127.0.0.1 www.aklitalia.it (http://www.aklitalia.it)
127.0.0.1 akril.com
127.0.0.1 alcatel.ws
127.0.0.1 alfacleaner.com
127.0.0.1 www.alfacleaner.com (http://www.alfacleaner.com)
127.0.0.1 alfa-search.com
127.0.0.1 alialia.it
127.0.0.1 www.alialia.it (http://www.alialia.it)
127.0.0.1 aliotalia.it
127.0.0.1 www.aliotalia.it (http://www.aliotalia.it)
127.0.0.1 alirtalia.it
127.0.0.1 www.alirtalia.it (http://www.alirtalia.it)
127.0.0.1 alitaia.it
127.0.0.1 www.alitaia.it (http://www.alitaia.it)
127.0.0.1 alitaklia.it
127.0.0.1 www.alitaklia.it (http://www.alitaklia.it)
127.0.0.1 alitala.it
127.0.0.1 www.alitala.it (http://www.alitala.it)
127.0.0.1 alitali.it
127.0.0.1 www.alitali.it (http://www.alitali.it)
127.0.0.1 alitaliaq.it
127.0.0.1 www.alitaliaq.it (http://www.alitaliaq.it)
127.0.0.1 alitalias.it
127.0.0.1 www.alitalias.it (http://www.alitalias.it)
127.0.0.1 alitaliaz.it
127.0.0.1 www.alitaliaz.it (http://www.alitaliaz.it)
127.0.0.1 alitalioa.it
127.0.0.1 www.alitalioa.it (http://www.alitalioa.it)
127.0.0.1 alitalisa.it
127.0.0.1 www.alitalisa.it (http://www.alitalisa.it)
127.0.0.1 alitaliua.it
127.0.0.1 www.alitaliua.it (http://www.alitaliua.it)
127.0.0.1 alitalkia.it
127.0.0.1 www.alitalkia.it (http://www.alitalkia.it)
127.0.0.1 alitaloia.it
127.0.0.1 www.alitaloia.it (http://www.alitaloia.it)
127.0.0.1 alitaluia.it
127.0.0.1 www.alitaluia.it (http://www.alitaluia.it)
127.0.0.1 alitaslia.it
127.0.0.1 www.alitaslia.it (http://www.alitaslia.it)
127.0.0.1 alitlia.it
127.0.0.1 www.alitlia.it (http://www.alitlia.it)
127.0.0.1 alitralia.it
127.0.0.1 www.alitralia.it (http://www.alitralia.it)
127.0.0.1 alitsalia.it
127.0.0.1 www.alitsalia.it (http://www.alitsalia.it)
127.0.0.1 aliutalia.it
127.0.0.1 www.aliutalia.it (http://www.aliutalia.it)
127.0.0.1 ALL1COUNT.NET
127.0.0.1 www.ALL1COUNT.NET (http://www.ALL1COUNT.NET)
127.0.0.1 all4internet.com
127.0.0.1 www.all4internet.com (http://www.all4internet.com)
127.0.0.1 allabtcars.com
127.0.0.1 allabtjeeps.com
127.0.0.1 all-bittorrent.com
127.0.0.1 www.all-bittorrent.com (http://www.all-bittorrent.com)
127.0.0.1 www.allcybersearch.com (http://www.allcybersearch.com)
127.0.0.1 allcybersearch.com
127.0.0.1 alldnserrors.com
127.0.0.1 www.alldnserrors.com (http://www.alldnserrors.com)
127.0.0.1 all-downloads-now.com
127.0.0.1 www.all-downloads-now.com (http://www.all-downloads-now.com)
127.0.0.1 all-edonkey.com
127.0.0.1 www.all-edonkey.com (http://www.all-edonkey.com)
127.0.0.1 allforadult.com
127.0.0.1 allhyperlinks.com
127.0.0.1 alliesecurity.com
127.0.0.1 www.alliesecurity.com (http://www.alliesecurity.com)
127.0.0.1 all-inet.com
127.0.0.1 allinternetbusiness.com
127.0.0.1 all-limewire.com
127.0.0.1 www.all-limewire.com (http://www.all-limewire.com)
127.0.0.1 allmegabucks.com
127.0.0.1 www.allmegabucks.com (http://www.allmegabucks.com)
127.0.0.1 allprotections.com
127.0.0.1 www.allprotections.com (http://www.allprotections.com)
127.0.0.1 allresultz.net
127.0.0.1 www.allresultz.net (http://www.allresultz.net)
127.0.0.1 allsecuritynotes.com
127.0.0.1 www.allsecuritynotes.com (http://www.allsecuritynotes.com)
127.0.0.1 allsecuritysite.com
127.0.0.1 www.allsecuritysite.com (http://www.allsecuritysite.com)
127.0.0.1 allstarsvideos.net
127.0.0.1 www.allstarsvideos.net (http://www.allstarsvideos.net)
127.0.0.1 alltruesoftware.com
127.0.0.1 www.alltruesoftware.com (http://www.alltruesoftware.com)
127.0.0.1 allvideoactivex.com
127.0.0.1 www.allvideoactivex.com (http://www.allvideoactivex.com)
127.0.0.1 almanah.biz
127.0.0.1 www.almanah.biz (http://www.almanah.biz)
127.0.0.1 almarvideos.com
127.0.0.1 aloitalia.it
127.0.0.1 www.aloitalia.it (http://www.aloitalia.it)
127.0.0.1 aluitalia.it
127.0.0.1 www.aluitalia.it (http://www.aluitalia.it)
127.0.0.1 amaena.com
127.0.0.1 www.amaena.com (http://www.amaena.com)
127.0.0.1 amandamountains.com
127.0.0.1 amateurliveshow.com
127.0.0.1 www.amateurliveshow.com (http://www.amateurliveshow.com)
127.0.0.1 amediasoftware.com
127.0.0.1 www.amediasoftware.com (http://www.amediasoftware.com)
127.0.0.1 amediasource.com
127.0.0.1 www.amediasource.com (http://www.amediasource.com)
127.0.0.1 americancarbargains.com
127.0.0.1 www.americancarbargains.com (http://www.americancarbargains.com)
127.0.0.1 american-teens.net
127.0.0.1 amigeek.com
127.0.0.1 amisbusiness.com
127.0.0.1 ampmsearch.com
127.0.0.1 www.ampmsearch.com (http://www.ampmsearch.com)
127.0.0.1 analcord.com
127.0.0.1 www.analcord.com (http://www.analcord.com)
127.0.0.1 analmovi.com
127.0.0.1 anarchylolita.com
127.0.0.1 www.anarchylolita.com (http://www.anarchylolita.com)
127.0.0.1 anarchyporn.com
127.0.0.1 andromedical.com
127.0.0.1 www.andromedical.com (http://www.andromedical.com)
127.0.0.1 animepornmag.com
127.0.0.1 www.animepornmag.com (http://www.animepornmag.com)
127.0.0.1 anin.org
127.0.0.1 anjpn-avxiz.biz
127.0.0.1 www.anjpn-avxiz.biz (http://www.anjpn-avxiz.biz)
127.0.0.1 anjpnzqav.biz
127.0.0.1 www.anjpnzqav.biz (http://www.anjpnzqav.biz)
127.0.0.1 anjpn-zqav.biz
127.0.0.1 www.anjpn-zqav.biz (http://www.anjpn-zqav.biz)
127.0.0.1 annaromeo.com
127.0.0.1 antiddos.us
127.0.0.1 www.antiddos.us (http://www.antiddos.us)
127.0.0.1 Antiespiadorado.com
127.0.0.1 www.Antiespiadorado.com (http://www.Antiespiadorado.com)
127.0.0.1 Antiespionspack.com
127.0.0.1 www.Antiespionspack.com (http://www.Antiespionspack.com)
127.0.0.1 Antigusanos2008.com
127.0.0.1 www.Antigusanos2008.com (http://www.Antigusanos2008.com)
127.0.0.1 Antispionage.com
127.0.0.1 www.Antispionage.com (http://www.Antispionage.com)
127.0.0.1 Antispionagepro.com
127.0.0.1 www.Antispionagepro.com (http://www.Antispionagepro.com)
127.0.0.1 antispydns.biz
127.0.0.1 www.antispydns.biz (http://www.antispydns.biz)
127.0.0.1 antispylab.com
127.0.0.1 www.antispylab.com (http://www.antispylab.com)
127.0.0.1 antispysolutions.com
127.0.0.1 www.antispysolutions.com (http://www.antispysolutions.com)
127.0.0.1 antispyware.com
127.0.0.1 www.antispyware.com (http://www.antispyware.com)
127.0.0.1 antispywarebot.com
127.0.0.1 www.antispywarebot.com (http://www.antispywarebot.com)
127.0.0.1 antispywarebox.com
127.0.0.1 www.antispywarebox.com (http://www.antispywarebox.com)
127.0.0.1 antispywaredownloads.com
127.0.0.1 www.antispywaredownloads.com (http://www.antispywaredownloads.com)
127.0.0.1 Antispywaresuite.com
127.0.0.1 www.Antispywaresuite.com (http://www.Antispywaresuite.com)
127.0.0.1 Antispyweb.net
127.0.0.1 www.Antispyweb.net (http://www.Antispyweb.net)
127.0.0.1 Antiver2008.com
127.0.0.1 www.Antiver2008.com (http://www.Antiver2008.com)
127.0.0.1 antivermins.com
127.0.0.1 www.antivermins.com (http://www.antivermins.com)
127.0.0.1 anti-vermins.com
127.0.0.1 www.anti-vermins.com (http://www.anti-vermins.com)
127.0.0.1 antivir2007.com
127.0.0.1 www.antivir2007.com (http://www.antivir2007.com)
127.0.0.1 antivirgear.com
127.0.0.1 www.antivirgear.com (http://www.antivirgear.com)
127.0.0.1 antivirus.fastfreedownload.com
127.0.0.1 www.antivirus.fastfreedownload.com (http://www.antivirus.fastfreedownload.com)
127.0.0.1 antivirusgolden.com
127.0.0.1 www.antivirusgolden.com (http://www.antivirusgolden.com)
127.0.0.1 antivirus-hq.net
127.0.0.1 www.antivirus-hq.net (http://www.antivirus-hq.net)
127.0.0.1 anti-virus-pro.com
127.0.0.1 www.anti-virus-pro.com (http://www.anti-virus-pro.com)
127.0.0.1 antivirusprotector.com
127.0.0.1 www.antivirusprotector.com (http://www.antivirusprotector.com)
127.0.0.1 antivirussecuritypro.com
127.0.0.1 www.antivirussecuritypro.com (http://www.antivirussecuritypro.com)
127.0.0.1 antivirus-stop.com
127.0.0.1 www.antivirus-stop.com (http://www.antivirus-stop.com)
127.0.0.1 Antiworm2008.com
127.0.0.1 www.Antiworm2008.com (http://www.Antiworm2008.com)
127.0.0.1 Antiwurm2008.com
127.0.0.1 www.Antiwurm2008.com (http://www.Antiwurm2008.com)
127.0.0.1 antrocity.com
127.0.0.1 anyofus.com
127.0.0.1 www.anyofus.com (http://www.anyofus.com)
127.0.0.1 anysn.seproger.com
127.0.0.1 www.anysn.seproger.com (http://www.anysn.seproger.com)
127.0.0.1 anything4health.com
127.0.0.1 apicpreview.com
127.0.0.1 www.apicpreview.com (http://www.apicpreview.com)
127.0.0.1 apmebf.com
127.0.0.1 www.apmebf.com (http://www.apmebf.com)
127.0.0.1 appealcircuit.com
127.0.0.1 www.appealcircuit.com (http://www.appealcircuit.com)
127.0.0.1 approvedlinks.com
127.0.0.1 www.approvedlinks.com (http://www.approvedlinks.com)
127.0.0.1 apps.deskwizz.com
127.0.0.1 apps.webservicehost.com
127.0.0.1 aprotectedpage.com
127.0.0.1 www.aprotectedpage.com (http://www.aprotectedpage.com)
127.0.0.1 apsua.com
127.0.0.1 archiviosex.net
127.0.0.1 www.archiviosex.net (http://www.archiviosex.net)
127.0.0.1 aregay.com
127.0.0.1 ares-freebie.com
127.0.0.1 www.ares-freebie.com (http://www.ares-freebie.com)
127.0.0.1 arespro2007.com
127.0.0.1 www.arespro2007.com (http://www.arespro2007.com)
127.0.0.1 aresultra.com
127.0.0.1 www.aresultra.com (http://www.aresultra.com)
127.0.0.1 ares-usa.com
127.0.0.1 www.ares-usa.com (http://www.ares-usa.com)
127.0.0.1 arheo.com
127.0.0.1 arizonaweb.org
127.0.0.1 armitageinn.com
127.0.0.1 arquivojpgs.smtp.ru
127.0.0.1 www.arquivojpgs.smtp.ru (http://www.arquivojpgs.smtp.ru)
127.0.0.1 artachnid.com
127.0.0.1 art-func.com
127.0.0.1 art-xxx.com
127.0.0.1 asafebrowser.com
127.0.0.1 www.asafebrowser.com (http://www.asafebrowser.com)
127.0.0.1 asafetynotice.com
127.0.0.1 www.asafetynotice.com (http://www.asafetynotice.com)
127.0.0.1 asafetypage.com
127.0.0.1 www.asafetypage.com (http://www.asafetypage.com)
127.0.0.1 asdbiz.biz
127.0.0.1 www.asdbiz.biz (http://www.asdbiz.biz)
127.0.0.1 asdeykuddq.com
127.0.0.1 www.asdeykuddq.com (http://www.asdeykuddq.com)
127.0.0.1 asecurebar.com
127.0.0.1 www.asecurebar.com (http://www.asecurebar.com)
127.0.0.1 asecureboard.com
127.0.0.1 www.asecureboard.com (http://www.asecureboard.com)
127.0.0.1 asecurevalue.com
127.0.0.1 www.asecurevalue.com (http://www.asecurevalue.com)
127.0.0.1 asecurityissue.com
127.0.0.1 www.asecurityissue.com (http://www.asecurityissue.com)
127.0.0.1 asecuritynotice.com
127.0.0.1 www.asecuritynotice.com (http://www.asecuritynotice.com)
127.0.0.1 asecuritypaper.com
127.0.0.1 www.asecuritypaper.com (http://www.asecuritypaper.com)
127.0.0.1 asecuritystuff.com
127.0.0.1 www.asecuritystuff.com (http://www.asecuritystuff.com)
127.0.0.1 asiankingkong.com
127.0.0.1 asianpornmag.com
127.0.0.1 www.asianpornmag.com (http://www.asianpornmag.com)
127.0.0.1 asiantoolbar.com
127.0.0.1 www.asiantoolbar.com (http://www.asiantoolbar.com)
127.0.0.1 asidseiupc.com
127.0.0.1 www.asidseiupc.com (http://www.asidseiupc.com)
127.0.0.1 aslitalia.it
127.0.0.1 www.aslitalia.it (http://www.aslitalia.it)
127.0.0.1 ass-gals.com
127.0.0.1 assureprotection.com
127.0.0.1 www.assureprotection.com (http://www.assureprotection.com)
127.0.0.1 asta-killer.com
127.0.0.1 asupereva.it
127.0.0.1 www.asupereva.it (http://www.asupereva.it)
127.0.0.1 athenrye.com
127.0.0.1 atotalsafety.com
that file is a total of 193000 whatever the unit of size is, ten times too long for a post. it continues down the alphabet after those 127.0.0.1 for a zillion characters and then here is the end of the file:
tell me if you need the middle
127.0.0.1 zipcodec.com
127.0.0.1 ziportal.com
127.0.0.1 zipportal.com
127.0.0.1 www.zippy-lookup.com (http://www.zippy-lookup.com)
127.0.0.1 zippy-lookup.com
127.0.0.1 www.zjkjw.gov.cn (http://www.zjkjw.gov.cn)
127.0.0.1 zjkjw.gov.cn
127.0.0.1 www.znext.com (http://www.znext.com)
127.0.0.1 znext.com
127.0.0.1 www.zonealarm-download-now.com (http://www.zonealarm-download-now.com)
127.0.0.1 zonealarm-download-now.com
127.0.0.1 www.zonealarm-stop.com (http://www.zonealarm-stop.com)
127.0.0.1 zonealarm-stop.com
127.0.0.1 www.zone-media.com (http://www.zone-media.com)
127.0.0.1 zone-media.com
127.0.0.1 zoneoffreeporn.com
127.0.0.1 zoofil.com
127.0.0.1 zoomegasite.com
127.0.0.1 zpwebsource.com
127.0.0.1 www.zpwebsource.com (http://www.zpwebsource.com)
127.0.0.1 zqavanjpn.biz
127.0.0.1 www.zqavanjpn.biz (http://www.zqavanjpn.biz)
127.0.0.1 www.z-quest.com (http://www.z-quest.com)
127.0.0.1 z-quest.com
127.0.0.1 zsupereva.it
127.0.0.1 www.zsupereva.it (http://www.zsupereva.it)
127.0.0.1 www.zurrusco.com (http://www.zurrusco.com)
127.0.0.1 zurrusco.com
127.0.0.1 zvimigdal.com
127.0.0.1 www.zxlinks.com (http://www.zxlinks.com)
127.0.0.1 zxlinks.com
127.0.0.1 zyban-zocor-levitra.com
127.0.0.1 errordoctor.com
127.0.0.1 www.errordoctor.com (http://www.errordoctor.com)
127.0.0.1 performanceoptimizer.com
127.0.0.1 www.performanceoptimizer.com (http://www.performanceoptimizer.com)
127.0.0.1 680180.net
127.0.0.1 www.680180.net (http://www.680180.net)
127.0.0.1 888.com
127.0.0.1 aaabesthomepage.com
127.0.0.1 www.aaabesthomepage.com (http://www.aaabesthomepage.com)
127.0.0.1 adlogix.com
127.0.0.1 www.adlogix.com (http://www.adlogix.com)
127.0.0.1 decknews.com
127.0.0.1 www.decknews.com (http://www.decknews.com)
127.0.0.1 update.680180.net
127.0.0.1 websearch24.com
127.0.0.1 www.websearch24.com (http://www.websearch24.com)
127.0.0.1 addioerrori.com
127.0.0.1 www.addioerrori.com (http://www.addioerrori.com)
127.0.0.1 antivirusgereedschap.com
127.0.0.1 www.antivirusgereedschap.com (http://www.antivirusgereedschap.com)
127.0.0.1 aucunsvirus.com
127.0.0.1 www.aucunsvirus.com (http://www.aucunsvirus.com)
127.0.0.1 echterschutz.com
127.0.0.1 www.echterschutz.com (http://www.echterschutz.com)
127.0.0.1 fiksfeil.com
127.0.0.1 www.fiksfeil.com (http://www.fiksfeil.com)
127.0.0.1 harddrevvagt.com
127.0.0.1 www.harddrevvagt.com (http://www.harddrevvagt.com)
127.0.0.1 herramientadereparacion.com
127.0.0.1 www.herramientadereparacion.com (http://www.herramientadereparacion.com)
127.0.0.1 hukommelsesbeskytter.com
127.0.0.1 www.hukommelsesbeskytter.com (http://www.hukommelsesbeskytter.com)
127.0.0.1 kyoishusei.com
127.0.0.1 www.kyoishusei.com (http://www.kyoishusei.com)
127.0.0.1 megaviruskit.com
127.0.0.1 www.megaviruskit.com (http://www.megaviruskit.com)
127.0.0.1 memoiredefenseur.com
127.0.0.1 www.memoiredefenseur.com (http://www.memoiredefenseur.com)
127.0.0.1 mendingtool.com
127.0.0.1 www.mendingtool.com (http://www.mendingtool.com)
127.0.0.1 minnesverktyg.com
127.0.0.1 www.minnesverktyg.com (http://www.minnesverktyg.com)
127.0.0.1 nientevirus.com
127.0.0.1 www.nientevirus.com (http://www.nientevirus.com)
127.0.0.1 pcopschoner.com
127.0.0.1 www.pcopschoner.com (http://www.pcopschoner.com)
127.0.0.1 pcopschoningsstel.com
127.0.0.1 www.pcopschoningsstel.com (http://www.pcopschoningsstel.com)
127.0.0.1 puliscitutto.com
127.0.0.1 www.puliscitutto.com (http://www.puliscitutto.com)
127.0.0.1 rensningverktyg.com
127.0.0.1 www.rensningverktyg.com (http://www.rensningverktyg.com)
127.0.0.1 reparameacas.com
127.0.0.1 www.reparameacas.com (http://www.reparameacas.com)
127.0.0.1 reparamenazas.com
127.0.0.1 www.reparamenazas.com (http://www.reparamenazas.com)
127.0.0.1 reparetudo.com
127.0.0.1 www.reparetudo.com (http://www.reparetudo.com)
127.0.0.1 shufukutsuru.com
127.0.0.1 www.shufukutsuru.com (http://www.shufukutsuru.com)
127.0.0.1 sicheressystem.com
127.0.0.1 www.sicheressystem.com (http://www.sicheressystem.com)
127.0.0.1 syskontroller.com
127.0.0.1 www.syskontroller.com (http://www.syskontroller.com)
127.0.0.1 trustedantivirus.com
127.0.0.1 www.trustedantivirus.com (http://www.trustedantivirus.com)
127.0.0.1 utiledeprotection.com
127.0.0.1 www.utiledeprotection.com (http://www.utiledeprotection.com)
127.0.0.1 web-fastserve.com
127.0.0.1 www.web-fastserve.com (http://www.web-fastserve.com)
127.0.0.1 prettycodec.com
127.0.0.1 www.prettycodec.com (http://www.prettycodec.com)
127.0.0.1 ricenhancement.com
127.0.0.1 www.ricenhancement.com (http://www.ricenhancement.com)
127.0.0.1 hotcodec.net
127.0.0.1 www.hotcodec.net (http://www.hotcodec.net)
127.0.0.1 nicecodec.net
127.0.0.1 www.nicecodec.net (http://www.nicecodec.net)
127.0.0.1 hoetechnology.com
127.0.0.1 www.hoetechnology.com (http://www.hoetechnology.com)
127.0.0.1 xyzlimited.com
127.0.0.1 www.xyzlimited.com (http://www.xyzlimited.com)
127.0.0.1 servicevah.com
127.0.0.1 www.servicevah.com (http://www.servicevah.com)
127.0.0.1 webspyshield.com
127.0.0.1 www.webspyshield.com (http://www.webspyshield.com)
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{07B9A4EB-FB4F-4CBF-8B1E-718A383D0D2F}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS1\Services\Tcpip\..\{07B9A4EB-FB4F-4CBF-8B1E-718A383D0D2F}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS2\Services\Tcpip\..\{07B9A4EB-FB4F-4CBF-8B1E-718A383D0D2F}: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=72.45.32.34 72.45.32.37
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
and here is the file from hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:43 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator.JULIE-18041C7FA\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ADMINI~1.JUL\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 4947 bytes
pskelley
2007-10-22, 15:24
Sorry you are having problems:sad: but your HJT log looks clean. Let me ask you about this item:
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ADMINI~1.JUL\LOCALS~1\Temp\UIUCU.EXE -
According to Google it is this:
http://www.liutilities.com/products/wintaskspro/processlibrary/uiucu/
uiucu.exe is a Universal Device Install Application from Conexant Systems, Inc. belonging to Conexant Communications Hardware
My concern is that if it is important, and it appears to be see the Google:
http://www.google.com/search?hl=en&q=Conexant+Systems&btnG=Google+Search
It is running from a Temp folder and could easly get deleted when cleaning Temp stuff. You may way to look into that.
How is your computer running? Any malware issues? I would like to run one additional scan to look for anything hidden, if that works for you proceed like this:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
okay i can do that when i get home but i DELETED everything out of my computer, wiped it clean and it reappeared right in front of my eyes. obviously some virus is restoring a previous state on my computer. i dont see how it can "look clean"
pskelley
2007-10-22, 22:00
HJT only shows a few of the areas hackers use, I can only report what I see, that is why I asked for the scan which shows more.
If you reformatted "wiped it clean" I very much doubt it returned unless you got reinfected by something you reinstalled. Have a look at these instructions.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
thats the trouble, i used a brand new windows cd, downloaded new drivers from dell and installed norton antivirus. I didn't install anything else. and there was NOTHING there. then, all of a sudden, right in front of my eyes, all my old files popped up, like pictures of my uncle from 2003. And when I only created ONE windows user account but in my c drive there were suddenly all four previous user accounts and their associated files. This was after a "clean install" of windows. Im not having the pop-up problem i had before but I think my computer "restored a previous state" because of some virus or spyware that is beneath the operating system. im just wondering if that is possible.
pskelley
2007-10-23, 00:31
Old files like you are describing do not appear out of thin air, malware does not install pictures of your uncle. If you did not install it then the stuff had to have been left on the computer. If you left that stuff, you just as likely left the malware on there also. If you read the links I provided, doing a reformat (NOT A SYSTEM RESTORE) would have wiped everything off the computer. I am personally frustrated with trying to help you, and suggest you look elsewhere and perhaps you will find someone who will tell you what you want to hear.
Thanks
julieum, this topic has been moved to archives.
If you need further assistance down the road, please start a new topic.
Cheers.