Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Spyware problem, Zlob downloader? emotrlq toolbar i didnt install wont go away

  1. #1
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default Spyware problem, Zlob downloader? emotrlq toolbar i didnt install wont go away

    some spyware got into my computer about half a week ago. i could tell because there was a new toolbar on my computer saying my computer has spyware and to go to it's link to get rid of it. the toolbar was called emotrlq. i scanned my computer with Norton internet security, which said computer's clean. so then i downloaded spybot and it scanned and deleted the following: Smitfraud-C, Zlob.downloader.vcd, and zlob.download.rid. then i was searching google for the names of the things it deleted, and came across some explanations etc, and it showed a free spyware scanner called PREVX CSI. i downloaded and scanned it, and it said there were like 3 spyware files left and when i scanned with spybot it would not pick these up. So i want my computer back to the way it was, free of any spyware, and when spybot deleted those files there is no more toolbar, however when i rightclick the toolbar pane it still shows a link to emotrlq, which doesnt work but i'd like to get rid of. Ive also scanned with Kaspersky online scanner and i got an HJT log. please help me get rid of this.
    thanks in advance, and heres the HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:10:34 PM, on 20/02/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Users\Computer\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O3 - Toolbar: emotrlq - {380F14D3-BD6F-4F5A-984A-70CC23EEA61D} - C:\Windows\emotrlq.dll (file missing)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Computer\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/reso...PUplden-ca.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O21 - SSODL: admggxp - {AE718BAF-B923-4A2C-8397-252DE407A3A0} - C:\Windows\admggxp.dll
    O21 - SSODL: bdmnopx - {F9AA1090-89AB-43B5-8713-8EF9F1CAC6E2} - C:\Windows\bdmnopx.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 11438 bytes



    i cant find the kaspersky scan so i might have to do that again. please help soon.

    Edit:

    Last edited by tashi; 2008-02-21 at 07:42. Reason: Mod: removed duplicate topic and comments. No need for rest of scan results until helper responds. ;-)

  2. #2
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default

    ok i scanned with kaspersky again and im very confused. i accidentally scanned twice, the first about 5 days ago, and the second today because i couldnt find the first. now ive found both and i am confused. the first scan i clicked standard, and came up with no viruses, and the second i clicked extended and it came up with 3 viruses and 11 infections. here is scan 1, next post is scan 2.

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, February 15, 2008 9:34:13 PM
    Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 15/02/2008
    Kaspersky Anti-Virus database records: 526180
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan Statistics:
    Total number of scanned objects: 137773
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 02:19:30

    Infected Object Name / Virus Name / Last Action
    C:\Boot\BCD Object is locked skipped
    C:\Boot\BCD.LOG Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\Program Files\PC-Doctor 5 for Windows\Configuration\config.xml Object is locked skipped
    C:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
    C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
    C:\ProgramData\Symantec\LiveUpdate\2008-02-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
    C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
    C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
    C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\864da5be2adb28c7711b08a95f5dd038_390a2636-5a2e-43c1-9914-129ca03a9f40 Object is locked skipped
    C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
    C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021520080216\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008021520080216\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TM.blf Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{2e03b47a-5649-11dc-a105-001bfc51b749}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\dfsr.db Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\fsr.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\fsrtmp.log Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Messenger\ibrahim--a@hotmail.com\SharingMetadata\Working\database_F8AE_9DCE_AE9D_85B2\tmp.edb Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows Live Contacts\ibrahim--a@hotmail.com\real\members.stg Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows Live Contacts\ibrahim--a@hotmail.com\shadow\members.stg Object is locked skipped
    C:\Users\Computer\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DF20F4.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DF2126.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DF4EBF.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DF4EDC.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\Temp\~DFD69C.tmp Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\ProductKey.val Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\template.mmdf Object is locked skipped
    C:\Users\Computer\AppData\Local\VirtualStore\ProgramData\muvee Technologies\030625\0103\0399\values Object is locked skipped
    C:\Users\Computer\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
    C:\Users\Computer\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
    C:\Users\Computer\NTUSER.DAT Object is locked skipped
    C:\Users\Computer\ntuser.dat.LOG1 Object is locked skipped
    C:\Users\Computer\ntuser.dat.LOG2 Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
    C:\Users\Computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2929558962_196608_138199 Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2929558962_2228224_111108 Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_2929558962_9109504_941 Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\SBE31A8.tmp Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\SBE8FFF.tmp Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\TempSBE\SBE9DC1.tmp Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\{74475FD8-66AC-40A8-B532-CA4CE1997A1E}.TmpSBE Object is locked skipped
    C:\Users\Public\Recorded TV\TempRec\{D9385716-E51C-4F18-9DCC-20F615EDD5F1}.TmpSBE Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Debug\sam.log Object is locked skipped
    C:\WINDOWS\Debug\WIA\wiatrace.log Object is locked skipped
    C:\WINDOWS\Logs\CBS\CBS.log Object is locked skipped
    C:\WINDOWS\Logs\CBS\CBS.persist.log Object is locked skipped
    C:\WINDOWS\Logs\DPX\setupact.log Object is locked skipped
    C:\WINDOWS\Logs\DPX\setuperr.log Object is locked skipped
    C:\WINDOWS\MEMORY.DMP Object is locked skipped
    C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\diagerr.xml Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\diagwrn.xml Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\setupact.log Object is locked skipped
    C:\WINDOWS\Panther\UnattendGC\setuperr.log Object is locked skipped
    C:\WINDOWS\security\database\secedit.sdb Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{0CD26253-1758-4BFA-8A59-792AF9A76CBD}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
    C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
    C:\WINDOWS\System32\catroot2\edb.log Object is locked skipped
    C:\WINDOWS\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
    C:\WINDOWS\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
    C:\WINDOWS\System32\config\COMPONENTS Object is locked skipped
    C:\WINDOWS\System32\config\COMPONENTS.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\COMPONENTS.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\System32\config\DEFAULT.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\DEFAULT.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\SAM Object is locked skipped
    C:\WINDOWS\System32\config\SAM.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\SAM.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\SECURITY Object is locked skipped
    C:\WINDOWS\System32\config\SECURITY.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\SECURITY.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\System32\config\SOFTWARE.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\SOFTWARE.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\System32\config\SYSTEM.LOG1 Object is locked skipped
    C:\WINDOWS\System32\config\SYSTEM.LOG2 Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
    C:\WINDOWS\System32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
    C:\WINDOWS\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\System32\restore\MachineGuid.txt Object is locked skipped
    C:\WINDOWS\System32\spool\SpoolerETW.etl Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\diagerr.xml Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\setupact.log Object is locked skipped
    C:\WINDOWS\System32\sysprep\Panther\setuperr.log Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
    C:\WINDOWS\System32\wbem\Logs\WMITracing.log Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\INDEX.BTR Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Application.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Media Center.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\ODiag.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\OSession.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Security.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\Setup.evtx Object is locked skipped
    C:\WINDOWS\System32\winevt\Logs\System.evtx Object is locked skipped
    C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
    D:\$RECYCLE.BIN\Desktop.ini Object is locked skipped
    D:\$RECYCLE.BIN\Protect.ed Object is locked skipped

    Scan process completed.

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    The Kaspersky scan you posted shows nothing?
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0

    Let's have a look for the infection.

    1) You are running System Configuration Utility (MSConfig) in Selective Startup Mode. I need to see the HJT logs in Normal mode. You can return to SS once we are finished.

    2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
    * Run Spybot-S&D in Advanced Mode.
    * If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    * On the left hand side, Click on Tools
    * Then click on the Resident Icon in the List
    * Uncheck "Resident TeaTimer" and OK any prompts.
    * Restart your computer.
    (leave TT disabled until we finish)

    3) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    Post only the C:\rapport.txt

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #4
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default

    ok thanks for helping, here is the smit fraud fix report:

    SmitFraudFix v2.294

    Scan done at 16:10:35.22, 22/02/2008
    Run from C:\Users\Computer\Downloads\SmitfraudFix
    OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\Windows\system32\csrss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\libusbd-nt.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Users\Computer\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEUser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\ehome\ehsched.exe
    C:\Windows\ehome\ehRecvr.exe
    C:\Windows\system32\SearchProtocolHost.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\cmd.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\SearchFilterHost.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    127.0.0.1 www.legal-at-spybot.info
    127.0.0.1 legal-at-spybot.info

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Computer


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Computer\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Computer\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    [!] Suspicious: admggxp.dll
    SSODL: admggxp - {AE718BAF-B923-4A2C-8397-252DE407A3A0}


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "LoadAppInit_DLLs"=dword:00000000


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: NVIDIA nForce Networking Controller
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    i was just wondering, the second HJT log is a bit too big to fit on a post, do you still want to see it because that is the one that said there are viruses.

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    I need to apologize, many of the tools we use will not work on Vista, and I did not notice that is your operating system. I will do the best I can.
    i was just wondering, the second HJT log is a bit too big to fit on a post, do you still want to see it because that is the one that said there are viruses.
    You mentioned scanning twice with Kaspersky, now you are saying HJT. Exactly what do you mean?

    I requested only the C:\rapport.txt, please post only what I ask for and then split the posts or do what you have to to get it posted for me.

    Smitfraudfix has found the infections and it also found this:
    »»»»»»»»»»»»»»»»»»»»»»»» hosts
    hosts file corrupted !

    After we clean, in the next C:\rapport.txt, there may be a very large hosts file
    (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.

    Clean:
    Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    Double-click SmitfraudFix.exe
    Select 2 and hit Enter to delete infect files.
    You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:
    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    Post the C:\rapport.txt and a new HJT log.

    Thanks
    Last edited by pskelley; 2008-02-22 at 23:25. Reason: add information
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default

    hi ok sorry i meant i did 2 kaspersky scans not HJT.
    here is the rapport:

    SmitFraudFix v2.294

    Scan done at 18:29:44.06, 22/02/2008
    Run from C:\Users\Computer\Downloads\SmitfraudFix
    OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts




    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri
    C:\Windows\admggxp.dll deleted.


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{2A8F4523-E8B7-4D74-8478-8094B6B23B0C}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    and here is the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:39:48 PM, on 22/02/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Users\Computer\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O3 - Toolbar: emotrlq - {380F14D3-BD6F-4F5A-984A-70CC23EEA61D} - C:\Windows\emotrlq.dll (file missing)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Computer\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O21 - SSODL: bdmnopx - {F9AA1090-89AB-43B5-8713-8EF9F1CAC6E2} - C:\Windows\bdmnopx.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 10111 bytes

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for cleaning that up for me, let's see how Smitfraudfix did.

    Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: emotrlq - {380F14D3-BD6F-4F5A-984A-70CC23EEA61D} - C:\Windows\emotrlq.dll (file missing)
    O21 - SSODL: bdmnopx - {F9AA1090-89AB-43B5-8713-8EF9F1CAC6E2} - C:\Windows\bdmnopx.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Run ATF Cleaner
    Notes for Windows Vista users:
    On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
    Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Tell me how the computer is running now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default

    thanks a lot you really helped. i scanned with spybot and prevx csi and they both came up clean. and the emotrlq toolbar is no longer there. i just have some questions to ask you, if you dont mind.

    1. is it ok to keep atf cleaner, because it deletes temp files so it can speed up my computer? and is it a good idea to use it regularily?
    2.do i still need smitfraudfix? or can i just uninstall it?
    3. i also did not do that optional requirement that you said for smitfraudfix while my computer was in safe mode, is that ok?
    4. do i still need to keep HJT? or is it ok to uninstall it because i dont see any other purpose for it.
    5. is it a good idea to turn teatimer back on?

    thanks for your help i appreciate it. i will do another kaspersky scan just in case (hopefully it will also come up clean!)
    Thanks again to you and team spybot for helping me!!

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the feedback and the questions. Remember, they are being asked about an Operating System I have never seen.

    1) Yes...good tool, run it as often as you wish. You also probably have CleanManger installed:
    http://spyware-free.us/tutorials/cleanmgr/

    2) No...remove Smitfraudfix. The program does not update and the infections constantly change. If you ever need it again, download it fresh.

    3) Internet Explorer > Tools > Options > Security tab > Trusted Sites > Sites button and see what is there. If there is anything there you do not know, remove it.

    4) HJT: I have had HJT on all computers I own for ten years, have a look at a tutorial:
    http://www.bleepingcomputer.com/tuto...utorial42.html
    as you can see HJT can do more than create a log for us to look at. Some malware even blocks HJT from installing making removal even more difficult. I suggest you keep HJT (does not run and uses very little disk space).
    One day it may be your life raft.

    5) Yes...turn TT back on now.

    Let me know if you have any questions about the Kapersky scan.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Member
    Join Date
    Feb 2008
    Posts
    32

    Default

    yes! the kaspersky scan also came up clean. thanks this is great my computer is back up to its full potential and this ordeal has helped me keep it even more protected before this all i had was norton internet security now i have sbybot, spyware blaster, hjt and a bunch of more things . my computer is even more protected now thanks.
    finally, i have one last thing to ask you, and it is if you could give me a link to learn more about TT because i dont know much about it and if its good to keep it running etc. thanks for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •