PDA

View Full Version : Hijacker. Spawns popups etc



Liquix
2007-12-19, 18:08
I got an annoying hijacker. It takes control oer my homepage and my desktop. It sspawns error messages recomending me to download a software and sometimes telling me that someone i able to hack my computer.

It makes my computer go slow and freezes it. It randomly changes focus on my windows and sometimes kills explorer.exe. I sometimes spawn popups for securepccleaner.com.

It even creates an icon on the taskbar.

LOGS:
HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:56, on 19.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe
C:\Programfiler\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\HPQ\shared\hpqwmi.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: BDEX System - {7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03} - C:\WINDOWS\ttvbonfvm.dll
O3 - Toolbar: The leosrv - {14E52265-CCA3-4F78-A21B-88F4EE6E78C1} - C:\WINDOWS\leosrv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D9382AD-99DB-430F-8254-3EC60FD01863}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer = 85.255.116.137,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hjoqor - {5F1E244C-542E-427E-AD1F-4E5FA4A90936} - C:\WINDOWS\hjoqor.dll
O21 - SSODL: xcvwer - {295F523D-D39B-4BDF-BC22-D8E188EC9E32} - C:\WINDOWS\xcvwer.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\shared\hpqwmi.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5774 bytes


Uninstall List:

Ad-Aware 2007
Athlon 64 Processor Driver
ATI - Avinstalleringsverktøy for Programvaren
ATI Display Driver
ATI Kontrollpanel
Broadcom 802.11 Wireless LAN Adapter
Conexant AC-Link Audio
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HP Help and Support
HP Software Update
HP Wireless Assistant 1.01 C1
Hurtigreparasjon for Windows XP (KB896256)
iTunes
J2SE Runtime Environment 5.0 Update 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Norwegian Language Pack
Mozilla Firefox (2.0.0.11)
Oppdatering for Windows XP (KB898461)
Quick Launch Buttons 5.20 D2
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
Sikkerhetsoppdatering for Windows XP (KB893066)
Sikkerhetsoppdatering for Windows XP (KB896358)
Sikkerhetsoppdatering for Windows XP (KB896422)
Skype™ 3.6
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
VideoLAN VLC media player 0.8.6d
WebVideo Support
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Media Format Runtime
Windows Media Player 10
Windows XP hurtigreparasjon - KB883667
Windows XP hurtigreparasjon - KB884575
Windows XP hurtigreparasjon - KB885464
Windows XP hurtigreparasjon - KB885855
Windows XP hurtigreparasjon - KB888113
Windows XP hurtigreparasjon - KB888239
Windows XP hurtigreparasjon - KB888402
Windows XP hurtigreparasjon - KB889673
Windows XP hurtigreparasjon - KB891781
Windows XP hurtigreparasjon - KB892559



SmitFraudFix:

SmitFraudFix v2.273

Scan done at 17:02:29,09, 19.12.2007
Run from C:\Documents and Settings\Kim\Skrivebord\SmitfraudFix
OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe
C:\Programfiler\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\HPQ\shared\hpqwmi.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\binret.exe FOUND !
C:\WINDOWS\hjoqor.dll FOUND !
C:\WINDOWS\leosrv.dll FOUND !
C:\WINDOWS\privacy_danger FOUND !
C:\WINDOWS\ttvbon???.dll FOUND !
C:\WINDOWS\xcvwer.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kim


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kim\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kim\FAVORI~1

C:\DOCUME~1\Kim\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Kim\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Kim\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min gjeldende hjemmeside"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kddlv.exe"

kddlv.exe detected !


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8139 Family PCI Fast Ethernet-kort - Miniport for pakkeplanlegger
DNS Server Search Order: 85.255.116.137
DNS Server Search Order: 85.255.112.8

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Broadcom 802.11a/b/g WLAN - Miniport for pakkeplanlegger
DNS Server Search Order: 85.255.116.137
DNS Server Search Order: 85.255.112.8

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0D9382AD-99DB-430F-8254-3EC60FD01863}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0D9382AD-99DB-430F-8254-3EC60FD01863}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0D39E7FE-A689-4E2D-985C-EA2118FEB6E1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0D9382AD-99DB-430F-8254-3EC60FD01863}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0D9382AD-99DB-430F-8254-3EC60FD01863}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3830A651-AA83-43F1-AFFF-E3BD442653C1}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: DhcpNameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9474E42D-C41E-4DCE-92CB-E1A00B6EFFF3}: NameServer=85.255.116.137,85.255.112.8
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.137 85.255.112.8
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.137 85.255.112.8
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.137 85.255.112.8


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Shaba
2007-12-20, 15:06
Hi Liquix and welcome to Safer Networking Forums :)

I see no antivirus installed so we start with that:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

Delete your copy of Smitfraudfix, it's outdated.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
______________________________

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up
Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera
Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Unselect Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
c:\rapport.txt
AVG Anti-Spyware log
A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

Shaba
2007-12-27, 15:42
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.