View Full Version : Video CODEC Malware (HELP NEEDED!!)
Hi, I got the typical Video Codec Malware that changes my background to red hazard sign with the slogan "your privacy is in danger" I've tried several online antiviruses, but it didn't capture the main problem.
I'd really, hugely, appreciate your help with this.
Thanks. Here's my HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:10 AM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Get Free Internet Fast and Free
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {077F45D5-5CC9-4FC8-A7BB-9D79836A6066} - C:\WINDOWS\movctrlnkd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: The nssfrch - {AC9BBDB2-8FCD-49C8-96F7-CC3CF7B453CD} - C:\WINDOWS\nssfrch.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.getfreeinternet.co.uk/news.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bxsbang - {934ACA86-3177-42FD-8A28-7A5EAFA89E67} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {6805CF13-F95F-4B1E-B822-7FEABEA2DA72} - C:\WINDOWS\ocgrep.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
And the Kaspersky Log is as follows:
Infected Objects:
C:\WINDOWS\Debug\PASSWD.LOG
C:\WINDOWS\movctrlnkd.dll
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
C:\WINDOWS\Sti_Trace.log
C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\default
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\Internet.evt
C:\WINDOWS\system32\config\SAM
C:\WINDOWS\system32\config\SAM.LOG
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SECURITY
C:\WINDOWS\system32\config\SECURITY.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\SysEvent.Evt
C:\WINDOWS\system32\config\system
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\sptd.sys
C:\WINDOWS\system32\h323log.txt
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\wiadebug.log
C:\WINDOWS\wiaservc.log
C:\WINDOWS\WindowsUpdate.log
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN/stream/data0022
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN/stream
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN/stream/data0005
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN/stream
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe C:\DOCUME~1\Steve\LOCALS~1\Temp\~DFDC34.tmp
Hello keep7up
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
First move HJT off the desktop, go to your C: drive and create a new folder and name it Hijackthis, then cut HJT where you have it now and paste it into your new folder.
You need to disable the TeaTimer, you can reset it back if you wish after your clean
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Download and install AVG Anti-Spyware Free (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) to your desktop.
Once you have downloaded AVG Anti-Spyware Free, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware Free<-- Do not run the scan yet.
Boot your computer into Safemode
Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
make sure to remember where you saved that file, this is important
Close AVG Anti-Spyware Free
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:
Reboot normally.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please
I followed through the directed steps,
here are the updated logs.
Logfile of HijackThis v1.99.1
Scan saved at 6:30:26 PM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Get Free Internet Fast and Free
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.getfreeinternet.co.uk/news.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:17:56 PM 31/10/2007
+ Scan result:
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000016.exe -> Logger.Peflog.44 : Cleaned.
:mozilla.173:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.119:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.7:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.39:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.41:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.42:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.43:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.80:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.81:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.82:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.83:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.84:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
It looks like its gone but I need to see the Smitfraud report please
SmitFraudFix v2.246
Scan done at 18:17:56.18, 31/10/2007
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 downloads.aaa1screensavers.com #[Bargin Buddy]
127.0.0.1 dl.aaascreensavers.com
127.0.0.1 abcsearch.com
127.0.0.1 admin.abcsearch.com
127.0.0.1 www3.abcsearch.com #[Browseraid]
127.0.0.1 www.abcsearch.com
127.0.0.1 abc517.net #[Trojan.Mitglieder.H]
127.0.0.1 absoluagency.com #[Trojan.StartPage.H]
127.0.0.1 acestats.com
127.0.0.1 www.acestats.com
127.0.0.1 actualnames.com #[Parasite.ActualNames][Spyware.ActualNames]
127.0.0.1 libefro.it
127.0.0.1 www.libefro.it
127.0.0.1 libegro.it
127.0.0.1 www.libegro.it
127.0.0.1 liber0.it
127.0.0.1 www.liber0.it
127.0.0.1 liber0o.it
127.0.0.1 www.liber0o.it
127.0.0.1 liber4o.it
127.0.0.1 www.liber4o.it
127.0.0.1 liber5o.it
127.0.0.1 www.liber5o.it
127.0.0.1 liber9.it
127.0.0.1 www.liber9.it
127.0.0.1 liberdo.it
127.0.0.1 www.liberdo.it
127.0.0.1 libereo.it
127.0.0.1 www.libereo.it
127.0.0.1 liberfo.it
127.0.0.1 www.liberfo.it
127.0.0.1 libergo.it
127.0.0.1 www.libergo.it
127.0.0.1 liberko.it
127.0.0.1 www.liberko.it
127.0.0.1 liberl.it
127.0.0.1 www.liberl.it
127.0.0.1 liberlo.it
127.0.0.1 www.liberlo.it
127.0.0.1 libero0.it
127.0.0.1 www.libero0.it
127.0.0.1 libero9.it
127.0.0.1 www.libero9.it
127.0.0.1 liberoi.it
127.0.0.1 www.liberoi.it
127.0.0.1 liberok.it
127.0.0.1 www.liberok.it
127.0.0.1 liberol.it
127.0.0.1 www.liberol.it
127.0.0.1 liberop.it
127.0.0.1 www.liberop.it
127.0.0.1 liberpo.it
127.0.0.1 www.liberpo.it
127.0.0.1 liberro.it
127.0.0.1 www.liberro.it
127.0.0.1 libertyonlinehosting.com
127.0.0.1 libesro.it
127.0.0.1 www.libesro.it
127.0.0.1 libetro.it
127.0.0.1 www.libetro.it
127.0.0.1 libewro.it
127.0.0.1 www.libewro.it
127.0.0.1 libfero.it
127.0.0.1 www.libfero.it
127.0.0.1 libfro.it
127.0.0.1 www.libfro.it
127.0.0.1 libgero.it
127.0.0.1 www.libgero.it
127.0.0.1 libhero.it
127.0.0.1 www.libhero.it
127.0.0.1 libnero.it
127.0.0.1 www.libnero.it
127.0.0.1 libreo.it
127.0.0.1 www.libreo.it
127.0.0.1 librero.it
127.0.0.1 www.librero.it
127.0.0.1 libsero.it
127.0.0.1 www.libsero.it
127.0.0.1 libsro.it
127.0.0.1 www.libsro.it
127.0.0.1 libvero.it
127.0.0.1 www.libvero.it
127.0.0.1 libwero.it
127.0.0.1 www.libwero.it
127.0.0.1 libwro.it
127.0.0.1 www.libwro.it
127.0.0.1 ligbero.it
127.0.0.1 www.ligbero.it
127.0.0.1 ligero.it
127.0.0.1 www.ligero.it
127.0.0.1 lightcodec.com
127.0.0.1 www.lightcodec.com
127.0.0.1 lightspeedsearch.net
127.0.0.1 www.lightspeedsearch.net
127.0.0.1 lihbero.it
127.0.0.1 www.lihbero.it
127.0.0.1 lihero.it
127.0.0.1 www.lihero.it
127.0.0.1 liibero.it
127.0.0.1 www.liibero.it
127.0.0.1 lijbero.it
127.0.0.1 www.lijbero.it
127.0.0.1 likbero.it
127.0.0.1 www.likbero.it
127.0.0.1 lilbero.it
127.0.0.1 www.lilbero.it
127.0.0.1 limewire2007pro.info
127.0.0.1 www.limewire2007pro.info
127.0.0.1 limewire-download-pro.com
127.0.0.1 www.limewire-download-pro.com
127.0.0.1 limewire-mp3-share.com
127.0.0.1 www.limewire-mp3-share.com
127.0.0.1 limewirenetwork.com
127.0.0.1 www.limewirenetwork.com
127.0.0.1 limewire-pro-downloads.com
127.0.0.1 www.limewire-pro-downloads.com
127.0.0.1 limewirezone.com
127.0.0.1 www.limewirezone.com
127.0.0.1 linbero.it
127.0.0.1 www.linbero.it
127.0.0.1 linero.it
127.0.0.1 www.linero.it
127.0.0.1 lingerie-mania.com
127.0.0.1 linkautomatici.com
127.0.0.1 www.linkautomatici.com
127.0.0.1 links4all.biz
127.0.0.1 liobero.it
127.0.0.1 www.liobero.it
127.0.0.1 lisamatthew.com
127.0.0.1 little-download.net
127.0.0.1 www.little-download.net
127.0.0.1 little-help.com
127.0.0.1 www.little-help.com
127.0.0.1 liubero.it
127.0.0.1 www.liubero.it
127.0.0.1 livbero.it
127.0.0.1 www.livbero.it
127.0.0.1 www.live.sex-explorer.com
127.0.0.1 livegambling.com
127.0.0.1 liveholio.com
127.0.0.1 livenewspaper.com
127.0.0.1 liveplayer.tv
127.0.0.1 www.liveplayer.tv
127.0.0.1 ljbero.it
127.0.0.1 www.ljbero.it
127.0.0.1 ljibero.it
127.0.0.1 www.ljibero.it
127.0.0.1 lkataweb.it
127.0.0.1 www.lkataweb.it
127.0.0.1 lkbero.it
127.0.0.1 www.lkbero.it
127.0.0.1 lkibero.it
127.0.0.1 www.lkibero.it
127.0.0.1 llibero.it
127.0.0.1 www.llibero.it
127.0.0.1 loading-lolita.com
127.0.0.1 locked-domain.com
127.0.0.1 logerau11.com
127.0.0.1 www.logerau11.com
127.0.0.1 logih.com
127.0.0.1 login.fric.cn
127.0.0.1 www.login.fric.cn
127.0.0.1 logs.vapochille.com
127.0.0.1 www.logs.vapochille.com
127.0.0.1 loibero.it
127.0.0.1 www.loibero.it
127.0.0.1 lolita4all1.xrensmagpost.com
127.0.0.1 lollitop.com
127.0.0.1 lordoftibia.pl
127.0.0.1 www.lordoftibia.pl
127.0.0.1 louiseleeds.com
127.0.0.1 love-host.com
127.0.0.1 lovelas.com
127.0.0.1 lovelysearch.com
127.0.0.1 love-pix.com
127.0.0.1 lovezest.com
127.0.0.1 www.lovezest.com
127.0.0.1 loweradult.com
127.0.0.1 www.loweradult.com
127.0.0.1 low-taxes.com
127.0.0.1 lpibero.it
127.0.0.1 www.lpibero.it
127.0.0.1 luibero.it
127.0.0.1 www.luibero.it
127.0.0.1 lunitaweb.net
127.0.0.1 lustful-porno.com
127.0.0.1 lzio.com
127.0.0.1 www.lzio.com
127.0.0.1 mabou.org
127.0.0.1 www.mabou.org
127.0.0.1 mackinnonsbrook.org
127.0.0.1 macrovirus.com
127.0.0.1 www.macrovirus.com
127.0.0.1 madfinder.com
127.0.0.1 madisonmoons.com
127.0.0.1 madisonoilco.com
127.0.0.1 madonalive.com
127.0.0.1 madsexxx.com
127.0.0.1 www.madsexxx.com
127.0.0.1 mafiapics.com
127.0.0.1 magicsearch.ws
127.0.0.1 www.magicsearch.ws
127.0.0.1 mainstreamdollars.com
127.0.0.1 www.mainstreamdollars.com
127.0.0.1 majuozawa.com
127.0.0.1 makin-do.com
127.0.0.1 male4free.com
127.0.0.1 malwarealarm.com
127.0.0.1 www.malwarealarm.com
127.0.0.1 malwarebot.com
127.0.0.1 www.malwarebot.com
127.0.0.1 malwarewipe.com
127.0.0.1 www.malwarewipe.com
127.0.0.1 malwarewiped.com
127.0.0.1 www.malwarewiped.com
127.0.0.1 malwarewipesupport.com
127.0.0.1 www.malwarewipesupport.com
127.0.0.1 malwarewipeupdate.com
127.0.0.1 www.malwarewipeupdate.com
127.0.0.1 map-quest.org
127.0.0.1 marilynchamber.com
127.0.0.1 marketengines.com
127.0.0.1 www.marketengines.com
127.0.0.1 marketing-know-how.com
127.0.0.1 www.marketing-know-how.com
127.0.0.1 marketingsector.com
127.0.0.1 masn.it
127.0.0.1 www.masn.it
127.0.0.1 massearch.com
127.0.0.1 master69.biz
127.0.0.1 www.master69.biz
127.0.0.1 master70.biz
127.0.0.1 www.master70.biz
127.0.0.1 master71.biz
127.0.0.1 www.master71.biz
127.0.0.1 masterbar.com
127.0.0.1 matcash.com
127.0.0.1 www.matcash.com
127.0.0.1 matetrava.com
127.0.0.1 mature50.com
127.0.0.1 matureporngate.com
127.0.0.1 maturepornmag.com
127.0.0.1 www.maturepornmag.com
127.0.0.1 maturespornmag.com
127.0.0.1 www.maturespornmag.com
127.0.0.1 maturetoolbar.com
127.0.0.1 maxdzines.com
127.0.0.1 maxifile.com
127.0.0.1 www.maxifile.com
127.0.0.1 maxysize.com
127.0.0.1 www.maxysize.com
127.0.0.1 mayancasino.com
127.0.0.1 mcafee-antivirus-2007.com
127.0.0.1 www.mcafee-antivirus-2007.com
127.0.0.1 mcboo.com
127.0.0.1 www.mcboo.com
127.0.0.1 mcdial.biz
127.0.0.1 www.mcdial.biz
127.0.0.1 mcgeeforlabor.com
127.0.0.1 mdstunisie.org
127.0.0.1 medcodec.com
127.0.0.1 www.medcodec.com
127.0.0.1 media.matcash.com
127.0.0.1 mediaactivex.com
127.0.0.1 www.mediaactivex.com
127.0.0.1 mediaactivexfile.com
127.0.0.1 www.mediaactivexfile.com
127.0.0.1 mediaactivexobject.com
127.0.0.1 www.mediaactivexobject.com
127.0.0.1 mediaactivextask.com
127.0.0.1 www.mediaactivextask.com
127.0.0.1 mediaaxobject.com
127.0.0.1 www.mediaaxobject.com
127.0.0.1 mediaaxproject.com
127.0.0.1 www.mediaaxproject.com
127.0.0.1 mediaaxsetup.com
127.0.0.1 www.mediaaxsetup.com
127.0.0.1 mediaaxsolution.com
127.0.0.1 www.mediaaxsolution.com
127.0.0.1 mediabusnetwork.com
127.0.0.1 www.mediabusnetwork.com
127.0.0.1 media-codec.com
127.0.0.1 www.media-codec.com
127.0.0.1 mediacodec.net
127.0.0.1 www.mediacodec.net
127.0.0.1 media-codec.net
127.0.0.1 www.media-codec.net
127.0.0.1 mediacodec2007.com
127.0.0.1 www.mediacodec2007.com
127.0.0.1 mediacount.net
127.0.0.1 www.mediacount.net
127.0.0.1 media-motor.net
127.0.0.1 mediaobjectguide.com
127.0.0.1 www.mediaobjectguide.com
127.0.0.1 mediaobjectsite.com
127.0.0.1 www.mediaobjectsite.com
127.0.0.1 mediaobjectsource.com
127.0.0.1 www.mediaobjectsource.com
127.0.0.1 mediaplayer-2007.com
127.0.0.1 www.mediaplayer-2007.com
127.0.0.1 mediaplayer-download.org
127.0.0.1 www.mediaplayer-download.org
127.0.0.1 mediaplayer-download-now.com
127.0.0.1 www.mediaplayer-download-now.com
127.0.0.1 mediaprojectaccess.com
127.0.0.1 www.mediaprojectaccess.com
127.0.0.1 medicare-insurance.net
127.0.0.1 medicare-supplemental.com
127.0.0.1 mega-adult.com
127.0.0.1 www.mega-adult.com
127.0.0.1 mega-codec.com
127.0.0.1 www.mega-codec.com
127.0.0.1 mega-dating-tips.com
127.0.0.1 megago.com
127.0.0.1 megalocast.net
127.0.0.1 www.megalocast.net
127.0.0.1 megapornix.com
127.0.0.1 megasearchbar.com
127.0.0.1 megaseek.net
127.0.0.1 megumikanzaki.com
127.0.0.1 meizi7472831.com
127.0.0.1 www.meizi7472831.com
127.0.0.1 Menacerescue.com
127.0.0.1 www.Menacerescue.com
127.0.0.1 Menacesecure.com
127.0.0.1 www.Menacesecure.com
127.0.0.1 meshalynn.com
127.0.0.1 mesn.it
127.0.0.1 www.mesn.it
127.0.0.1 meta-adult.com
127.0.0.1 meta-casino.com
127.0.0.1 metafora.ru
127.0.0.1 meta-mobile.com
127.0.0.1 metapoisk.ru
127.0.0.1 meta-porn.com
127.0.0.1 metastop.com
127.0.0.1 www.metastop.com
127.0.0.1 methasearch.info
127.0.0.1 www.methasearch.info
127.0.0.1 mezzicodec.net
127.0.0.1 www.mezzicodec.net
127.0.0.1 miaminews365.net
127.0.0.1 www.miaminews365.net
127.0.0.1 michiyonakajima.com
127.0.0.1 miconsultamedica.com
127.0.0.1 micro-codec.com
127.0.0.1 www.micro-codec.com
127.0.0.1 microsoftantispyware.net
127.0.0.1 www.microsoftantispyware.net
127.0.0.1 midlets.biz
127.0.0.1 www.midlets.biz
127.0.0.1 mikasakamoto.com
127.0.0.1 mikoni.com
127.0.0.1 militarygods.porn4porn.net
127.0.0.1 millennialpeople.org
127.0.0.1 miosearch.com
127.0.0.1 www.miosearch.com
127.0.0.1 mipham.org
127.0.0.1 mir.100888290cs.com
127.0.0.1 mirarsearch.com
127.0.0.1 www.mirarsearch.com
127.0.0.1 mircosoftantispy.com
127.0.0.1 www.mircosoftantispy.com
127.0.0.1 misofthelp.com
127.0.0.1 www.misofthelp.com
127.0.0.1 missingcommand.com
127.0.0.1 mixsearch.com
127.0.0.1 www.mixsearch.com
127.0.0.1 mjsn.it
127.0.0.1 www.mjsn.it
127.0.0.1 mkataweb.it
127.0.0.1 www.mkataweb.it
127.0.0.1 mksn.it
127.0.0.1 www.mksn.it
127.0.0.1 mmcodec.com
127.0.0.1 www.mmcodec.com
127.0.0.1 mmm.elitemediagroup.net
127.0.0.1 mmmike.com
127.0.0.1 www.mmmike.com
127.0.0.1 mmohsix.com
127.0.0.1 www.mmohsix.com
127.0.0.1 mnsn.it
127.0.0.1 www.mnsn.it
127.0.0.1 mokead.com
127.0.0.1 www.mokead.com
127.0.0.1 mommykiss.com
127.0.0.1 money-advertise.info
127.0.0.1 www.money-advertise.info
127.0.0.1 moneyhunters.com
127.0.0.1 montgomeryhospitalanesthesia.com
127.0.0.1 morflot.com
127.0.0.1 mortgage-debt.net
127.0.0.1 mortismaximus.com
127.0.0.1 moscowwhores.com
127.0.0.1 motioncodecs.com
127.0.0.1 www.motioncodecs.com
127.0.0.1 moviecategories.com
127.0.0.1 moviecodec.net
127.0.0.1 www.moviecodec.net
127.0.0.1 moviecodecs.net
127.0.0.1 www.moviecodecs.net
127.0.0.1 moviereality.com
127.0.0.1 www.moviereality.com
127.0.0.1 movies-codecs.com
127.0.0.1 www.movies-codecs.com
127.0.0.1 moviesdvds.net
127.0.0.1 www.moviesdvds.net
127.0.0.1 movietooklit.com
127.0.0.1 www.movietooklit.com
127.0.0.1 movscodec.com
127.0.0.1 www.movscodec.com
127.0.0.1 mp3bearshare.com
127.0.0.1 www.mp3bearshare.com
127.0.0.1 mp3-morpheus.com
127.0.0.1 www.mp3-morpheus.com
127.0.0.1 mp3musichq.com
127.0.0.1 www.mp3musichq.com
127.0.0.1 mp3-music-source.com
127.0.0.1 www.mp3-music-source.com
127.0.0.1 mp3-muzic.com
127.0.0.1 www.mp3-muzic.com
127.0.0.1 mp3-pix.com
127.0.0.1 mp3winmx.com
127.0.0.1 www.mp3winmx.com
127.0.0.1 mpeg-look.com
127.0.0.1 mrantispy.com
127.0.0.1 www.mrantispy.com
127.0.0.1 mrtg.jps.ru
127.0.0.1 msan.it
127.0.0.1 www.msan.it
127.0.0.1 msantispy.com
127.0.0.1 www.msantispy.com
127.0.0.1 msbn.it
127.0.0.1 www.msbn.it
127.0.0.1 msen.it
127.0.0.1 www.msen.it
127.0.0.1 mshn.it
127.0.0.1 www.mshn.it
127.0.0.1 msjn.it
127.0.0.1 www.msjn.it
127.0.0.1 msmn.it
127.0.0.1 www.msmn.it
127.0.0.1 msnb.it
127.0.0.1 www.msnb.it
127.0.0.1 msnguard.cc
127.0.0.1 msnh.it
127.0.0.1 www.msnh.it
127.0.0.1 msn-info.net
127.0.0.1 msnj.it
127.0.0.1 www.msnj.it
127.0.0.1 msnm.it
127.0.0.1 www.msnm.it
127.0.0.1 mssn.it
127.0.0.1 www.mssn.it
127.0.0.1 msupdate.net
127.0.0.1 www.msupdate.net
127.0.0.1 msupdater.net
127.0.0.1 www.msupdater.net
127.0.0.1 mswn.it
127.0.0.1 www.mswn.it
127.0.0.1 msxn.it
127.0.0.1 www.msxn.it
127.0.0.1 mszn.it
127.0.0.1 www.mszn.it
127.0.0.1 mt-download.com
127.0.0.1 MUAFK.COM
127.0.0.1 www.MUAFK.COM
127.0.0.1 multimediaobject.com
127.0.0.1 www.multimediaobject.com
127.0.0.1 multi-pops.com
127.0.0.1 www.multi-pops.com
127.0.0.1 multipussy.com
127.0.0.1 multitrader.info
127.0.0.1 www.multitrader.info
127.0.0.1 mundopolar.com
127.0.0.1 munky.com
127.0.0.1 www.munky.com
127.0.0.1 musicmatch.free-software-center.com
127.0.0.1 www.musicmatch.free-software-center.com
127.0.0.1 mustv.com
127.0.0.1 mwsn.it
127.0.0.1 www.mwsn.it
127.0.0.1 mxsn.it
127.0.0.1 www.mxsn.it
127.0.0.1 myadultexplorer.com
127.0.0.1 www.myadultexplorer.com
127.0.0.1 mybestsearch2007.com
127.0.0.1 www.mybestsearch2007.com
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\bxsbang.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{934ACA86-3177-42FD-8A28-7A5EAFA89E67}]
Deleting [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{934ACA86-3177-42FD-8A28-7A5EAFA89E67}]
C:\WINDOWS\kthemup.exe Deleted
C:\WINDOWS\movctrlnkd.dll Deleted
C:\WINDOWS\nssfrch.dll Deleted
C:\WINDOWS\ocgrep.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{6805CF13-F95F-4B1E-B822-7FEABEA2DA72}]
C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\Steve\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Steve\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Steve\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Steve\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Steve\FAVORI~1\Privacy Protector.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Ken, buddy, you don't know how greatful I am.
Awesome work. Keep it up, and thanks a million!
Cool :bigthumb:
Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
How are things running now??
Things are much, much better. And main thing is, that terrible background is gone.
Thank a lot!
:bigthumb::bigthumb::bigthumb:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken