Video CODEC Malware (HELP NEEDED!!)

K

keep7up

New member
Hi, I got the typical Video Codec Malware that changes my background to red hazard sign with the slogan "your privacy is in danger" I've tried several online antiviruses, but it didn't capture the main problem.
I'd really, hugely, appreciate your help with this.
Thanks. Here's my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:10 AM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Get Free Internet Fast and Free
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {077F45D5-5CC9-4FC8-A7BB-9D79836A6066} - C:\WINDOWS\movctrlnkd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: The nssfrch - {AC9BBDB2-8FCD-49C8-96F7-CC3CF7B453CD} - C:\WINDOWS\nssfrch.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.getfreeinternet.co.uk/news.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bxsbang - {934ACA86-3177-42FD-8A28-7A5EAFA89E67} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {6805CF13-F95F-4B1E-B822-7FEABEA2DA72} - C:\WINDOWS\ocgrep.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

And the Kaspersky Log is as follows:
Infected Objects:
C:\WINDOWS\Debug\PASSWD.LOG
C:\WINDOWS\movctrlnkd.dll
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
C:\WINDOWS\Sti_Trace.log
C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\default
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\Internet.evt
C:\WINDOWS\system32\config\SAM
C:\WINDOWS\system32\config\SAM.LOG
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SECURITY
C:\WINDOWS\system32\config\SECURITY.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\SysEvent.Evt
C:\WINDOWS\system32\config\system
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\sptd.sys
C:\WINDOWS\system32\h323log.txt
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\WINDOWS\wiadebug.log
C:\WINDOWS\wiaservc.log
C:\WINDOWS\WindowsUpdate.log
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN/stream/data0022
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN/stream
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe/WISE0106.BIN C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_10163156.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN/stream/data0005
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN/stream
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe/WISE0104.BIN
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\iMesh_15365781.exe C:\DOCUME~1\Steve\LOCALS~1\Temp\~DFDC34.tmp
 
Hello keep7up

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

First move HJT off the desktop, go to your C: drive and create a new folder and name it Hijackthis, then cut HJT where you have it now and paste it into your new folder.

You need to disable the TeaTimer, you can reset it back if you wish after your clean
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.



You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.


Download and install AVG Anti-Spyware Free to your desktop.

  • Once you have downloaded AVG Anti-Spyware Free, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG and update the definition files.
  • On the main screen select the icon Update then select the Update now link.
  • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
  • Under Reports
  • Select Automatically generate report after every scan
  • Un-Select Only if threats were found
  • Close AVG Anti-Spyware Free<-- Do not run the scan yet.



Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode




  • Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt



  • Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
  • If you have any infections you will prompted, then select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
  • make sure to remember where you saved that file, this is important
  • Close AVG Anti-Spyware Free
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.


  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please
 
I followed through the directed steps,
here are the updated logs.

Logfile of HijackThis v1.99.1
Scan saved at 6:30:26 PM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Get Free Internet Fast and Free
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.getfreeinternet.co.uk/news.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:17:56 PM 31/10/2007

+ Scan result:



C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000016.exe -> Logger.Peflog.44 : Cleaned.
:mozilla.173:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.119:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.7:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.39:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.41:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.42:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.43:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.80:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.81:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.82:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.83:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.84:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\1hroy6m8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Steve\Cookies\steve@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
 
SmitFraudFix v2.246

Scan done at 18:17:56.18, 31/10/2007
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 downloads.aaa1screensavers.com #[Bargin Buddy]
127.0.0.1 dl.aaascreensavers.com
127.0.0.1 abcsearch.com
127.0.0.1 admin.abcsearch.com
127.0.0.1 www3.abcsearch.com #[Browseraid]
127.0.0.1 www.abcsearch.com
127.0.0.1 abc517.net #[Trojan.Mitglieder.H]
127.0.0.1 absoluagency.com #[Trojan.StartPage.H]
127.0.0.1 acestats.com
127.0.0.1 www.acestats.com
127.0.0.1 actualnames.com #[Parasite.ActualNames][Spyware.ActualNames]

127.0.0.1 libefro.it
127.0.0.1 www.libefro.it
127.0.0.1 libegro.it
127.0.0.1 www.libegro.it
127.0.0.1 liber0.it
127.0.0.1 www.liber0.it
127.0.0.1 liber0o.it
127.0.0.1 www.liber0o.it
127.0.0.1 liber4o.it
127.0.0.1 www.liber4o.it
127.0.0.1 liber5o.it
127.0.0.1 www.liber5o.it
127.0.0.1 liber9.it
127.0.0.1 www.liber9.it
127.0.0.1 liberdo.it
127.0.0.1 www.liberdo.it
127.0.0.1 libereo.it
127.0.0.1 www.libereo.it
127.0.0.1 liberfo.it
127.0.0.1 www.liberfo.it
127.0.0.1 libergo.it
127.0.0.1 www.libergo.it
127.0.0.1 liberko.it
127.0.0.1 www.liberko.it
127.0.0.1 liberl.it
127.0.0.1 www.liberl.it
127.0.0.1 liberlo.it
127.0.0.1 www.liberlo.it
127.0.0.1 libero0.it
127.0.0.1 www.libero0.it
127.0.0.1 libero9.it
127.0.0.1 www.libero9.it
127.0.0.1 liberoi.it
127.0.0.1 www.liberoi.it
127.0.0.1 liberok.it
127.0.0.1 www.liberok.it
127.0.0.1 liberol.it
127.0.0.1 www.liberol.it
127.0.0.1 liberop.it
127.0.0.1 www.liberop.it
127.0.0.1 liberpo.it
127.0.0.1 www.liberpo.it
127.0.0.1 liberro.it
127.0.0.1 www.liberro.it
127.0.0.1 libertyonlinehosting.com
127.0.0.1 libesro.it
127.0.0.1 www.libesro.it
127.0.0.1 libetro.it
127.0.0.1 www.libetro.it
127.0.0.1 libewro.it
127.0.0.1 www.libewro.it
127.0.0.1 libfero.it
127.0.0.1 www.libfero.it
127.0.0.1 libfro.it
127.0.0.1 www.libfro.it
127.0.0.1 libgero.it
127.0.0.1 www.libgero.it
127.0.0.1 libhero.it
127.0.0.1 www.libhero.it
127.0.0.1 libnero.it
127.0.0.1 www.libnero.it
127.0.0.1 libreo.it
127.0.0.1 www.libreo.it
127.0.0.1 librero.it
127.0.0.1 www.librero.it
127.0.0.1 libsero.it
127.0.0.1 www.libsero.it
127.0.0.1 libsro.it
127.0.0.1 www.libsro.it
127.0.0.1 libvero.it
127.0.0.1 www.libvero.it
127.0.0.1 libwero.it
127.0.0.1 www.libwero.it
127.0.0.1 libwro.it
127.0.0.1 www.libwro.it
127.0.0.1 ligbero.it
127.0.0.1 www.ligbero.it
127.0.0.1 ligero.it
127.0.0.1 www.ligero.it
127.0.0.1 lightcodec.com
127.0.0.1 www.lightcodec.com
127.0.0.1 lightspeedsearch.net
127.0.0.1 www.lightspeedsearch.net
127.0.0.1 lihbero.it
127.0.0.1 www.lihbero.it
127.0.0.1 lihero.it
127.0.0.1 www.lihero.it
127.0.0.1 liibero.it
127.0.0.1 www.liibero.it
127.0.0.1 lijbero.it
127.0.0.1 www.lijbero.it
127.0.0.1 likbero.it
127.0.0.1 www.likbero.it
127.0.0.1 lilbero.it
127.0.0.1 www.lilbero.it
127.0.0.1 limewire2007pro.info
127.0.0.1 www.limewire2007pro.info
127.0.0.1 limewire-download-pro.com
127.0.0.1 www.limewire-download-pro.com
127.0.0.1 limewire-mp3-share.com
127.0.0.1 www.limewire-mp3-share.com
127.0.0.1 limewirenetwork.com
127.0.0.1 www.limewirenetwork.com
127.0.0.1 limewire-pro-downloads.com
127.0.0.1 www.limewire-pro-downloads.com
127.0.0.1 limewirezone.com
127.0.0.1 www.limewirezone.com
127.0.0.1 linbero.it
127.0.0.1 www.linbero.it
127.0.0.1 linero.it
127.0.0.1 www.linero.it
127.0.0.1 lingerie-mania.com
127.0.0.1 linkautomatici.com
127.0.0.1 www.linkautomatici.com
127.0.0.1 links4all.biz
127.0.0.1 liobero.it
127.0.0.1 www.liobero.it
127.0.0.1 lisamatthew.com
127.0.0.1 little-download.net
127.0.0.1 www.little-download.net
127.0.0.1 little-help.com
127.0.0.1 www.little-help.com
127.0.0.1 liubero.it
127.0.0.1 www.liubero.it
127.0.0.1 livbero.it
127.0.0.1 www.livbero.it
127.0.0.1 www.live.sex-explorer.com
127.0.0.1 livegambling.com
127.0.0.1 liveholio.com
127.0.0.1 livenewspaper.com
127.0.0.1 liveplayer.tv
127.0.0.1 www.liveplayer.tv
127.0.0.1 ljbero.it
127.0.0.1 www.ljbero.it
127.0.0.1 ljibero.it
127.0.0.1 www.ljibero.it
127.0.0.1 lkataweb.it
127.0.0.1 www.lkataweb.it
127.0.0.1 lkbero.it
127.0.0.1 www.lkbero.it
127.0.0.1 lkibero.it
127.0.0.1 www.lkibero.it
127.0.0.1 llibero.it
127.0.0.1 www.llibero.it
127.0.0.1 loading-lolita.com
127.0.0.1 locked-domain.com
127.0.0.1 logerau11.com
127.0.0.1 www.logerau11.com
127.0.0.1 logih.com
127.0.0.1 login.fric.cn
127.0.0.1 www.login.fric.cn
127.0.0.1 logs.vapochille.com
127.0.0.1 www.logs.vapochille.com
127.0.0.1 loibero.it
127.0.0.1 www.loibero.it
127.0.0.1 lolita4all1.xrensmagpost.com
127.0.0.1 lollitop.com
127.0.0.1 lordoftibia.pl
127.0.0.1 www.lordoftibia.pl
127.0.0.1 louiseleeds.com
127.0.0.1 love-host.com
127.0.0.1 lovelas.com
127.0.0.1 lovelysearch.com
127.0.0.1 love-pix.com
127.0.0.1 lovezest.com
127.0.0.1 www.lovezest.com
127.0.0.1 loweradult.com
127.0.0.1 www.loweradult.com
127.0.0.1 low-taxes.com
127.0.0.1 lpibero.it
127.0.0.1 www.lpibero.it
127.0.0.1 luibero.it
127.0.0.1 www.luibero.it
127.0.0.1 lunitaweb.net
127.0.0.1 lustful-porno.com
127.0.0.1 lzio.com
127.0.0.1 www.lzio.com
127.0.0.1 mabou.org
127.0.0.1 www.mabou.org
127.0.0.1 mackinnonsbrook.org
127.0.0.1 macrovirus.com
127.0.0.1 www.macrovirus.com
127.0.0.1 madfinder.com
127.0.0.1 madisonmoons.com
127.0.0.1 madisonoilco.com
127.0.0.1 madonalive.com
127.0.0.1 madsexxx.com
127.0.0.1 www.madsexxx.com
127.0.0.1 mafiapics.com
127.0.0.1 magicsearch.ws
127.0.0.1 www.magicsearch.ws
127.0.0.1 mainstreamdollars.com
127.0.0.1 www.mainstreamdollars.com
127.0.0.1 majuozawa.com
127.0.0.1 makin-do.com
127.0.0.1 male4free.com
127.0.0.1 malwarealarm.com
127.0.0.1 www.malwarealarm.com
127.0.0.1 malwarebot.com
127.0.0.1 www.malwarebot.com
127.0.0.1 malwarewipe.com
127.0.0.1 www.malwarewipe.com
127.0.0.1 malwarewiped.com
127.0.0.1 www.malwarewiped.com
127.0.0.1 malwarewipesupport.com
127.0.0.1 www.malwarewipesupport.com
127.0.0.1 malwarewipeupdate.com
127.0.0.1 www.malwarewipeupdate.com
127.0.0.1 map-quest.org
127.0.0.1 marilynchamber.com
127.0.0.1 marketengines.com
127.0.0.1 www.marketengines.com
127.0.0.1 marketing-know-how.com
127.0.0.1 www.marketing-know-how.com
127.0.0.1 marketingsector.com
127.0.0.1 masn.it
127.0.0.1 www.masn.it
127.0.0.1 massearch.com
127.0.0.1 master69.biz
127.0.0.1 www.master69.biz
127.0.0.1 master70.biz
127.0.0.1 www.master70.biz
127.0.0.1 master71.biz
127.0.0.1 www.master71.biz
127.0.0.1 masterbar.com
127.0.0.1 matcash.com
127.0.0.1 www.matcash.com
127.0.0.1 matetrava.com
127.0.0.1 mature50.com
127.0.0.1 matureporngate.com
127.0.0.1 maturepornmag.com
127.0.0.1 www.maturepornmag.com
127.0.0.1 maturespornmag.com
127.0.0.1 www.maturespornmag.com
127.0.0.1 maturetoolbar.com
127.0.0.1 maxdzines.com
127.0.0.1 maxifile.com
127.0.0.1 www.maxifile.com
127.0.0.1 maxysize.com
127.0.0.1 www.maxysize.com
127.0.0.1 mayancasino.com
127.0.0.1 mcafee-antivirus-2007.com
127.0.0.1 www.mcafee-antivirus-2007.com
127.0.0.1 mcboo.com
127.0.0.1 www.mcboo.com
127.0.0.1 mcdial.biz
127.0.0.1 www.mcdial.biz
127.0.0.1 mcgeeforlabor.com
127.0.0.1 mdstunisie.org
127.0.0.1 medcodec.com
127.0.0.1 www.medcodec.com
127.0.0.1 media.matcash.com
127.0.0.1 mediaactivex.com
127.0.0.1 www.mediaactivex.com
127.0.0.1 mediaactivexfile.com
127.0.0.1 www.mediaactivexfile.com
127.0.0.1 mediaactivexobject.com
127.0.0.1 www.mediaactivexobject.com
127.0.0.1 mediaactivextask.com
127.0.0.1 www.mediaactivextask.com
127.0.0.1 mediaaxobject.com
127.0.0.1 www.mediaaxobject.com
127.0.0.1 mediaaxproject.com
127.0.0.1 www.mediaaxproject.com
127.0.0.1 mediaaxsetup.com
127.0.0.1 www.mediaaxsetup.com
127.0.0.1 mediaaxsolution.com
127.0.0.1 www.mediaaxsolution.com
127.0.0.1 mediabusnetwork.com
127.0.0.1 www.mediabusnetwork.com
127.0.0.1 media-codec.com
127.0.0.1 www.media-codec.com
127.0.0.1 mediacodec.net
127.0.0.1 www.mediacodec.net
127.0.0.1 media-codec.net
127.0.0.1 www.media-codec.net
127.0.0.1 mediacodec2007.com
127.0.0.1 www.mediacodec2007.com
127.0.0.1 mediacount.net
127.0.0.1 www.mediacount.net
127.0.0.1 media-motor.net
127.0.0.1 mediaobjectguide.com
127.0.0.1 www.mediaobjectguide.com
127.0.0.1 mediaobjectsite.com
127.0.0.1 www.mediaobjectsite.com
127.0.0.1 mediaobjectsource.com
127.0.0.1 www.mediaobjectsource.com
127.0.0.1 mediaplayer-2007.com
127.0.0.1 www.mediaplayer-2007.com
127.0.0.1 mediaplayer-download.org
127.0.0.1 www.mediaplayer-download.org
127.0.0.1 mediaplayer-download-now.com
127.0.0.1 www.mediaplayer-download-now.com
127.0.0.1 mediaprojectaccess.com
127.0.0.1 www.mediaprojectaccess.com
127.0.0.1 medicare-insurance.net
127.0.0.1 medicare-supplemental.com
127.0.0.1 mega-adult.com
127.0.0.1 www.mega-adult.com
127.0.0.1 mega-codec.com
127.0.0.1 www.mega-codec.com
127.0.0.1 mega-dating-tips.com
127.0.0.1 megago.com
127.0.0.1 megalocast.net
127.0.0.1 www.megalocast.net
127.0.0.1 megapornix.com
127.0.0.1 megasearchbar.com
127.0.0.1 megaseek.net
127.0.0.1 megumikanzaki.com
127.0.0.1 meizi7472831.com
127.0.0.1 www.meizi7472831.com
127.0.0.1 Menacerescue.com
127.0.0.1 www.Menacerescue.com
127.0.0.1 Menacesecure.com
127.0.0.1 www.Menacesecure.com
127.0.0.1 meshalynn.com
127.0.0.1 mesn.it
127.0.0.1 www.mesn.it
127.0.0.1 meta-adult.com
127.0.0.1 meta-casino.com
127.0.0.1 metafora.ru
127.0.0.1 meta-mobile.com
127.0.0.1 metapoisk.ru
127.0.0.1 meta-porn.com
127.0.0.1 metastop.com
127.0.0.1 www.metastop.com
127.0.0.1 methasearch.info
127.0.0.1 www.methasearch.info
127.0.0.1 mezzicodec.net
127.0.0.1 www.mezzicodec.net
127.0.0.1 miaminews365.net
127.0.0.1 www.miaminews365.net
127.0.0.1 michiyonakajima.com
127.0.0.1 miconsultamedica.com
127.0.0.1 micro-codec.com
127.0.0.1 www.micro-codec.com
127.0.0.1 microsoftantispyware.net
127.0.0.1 www.microsoftantispyware.net
127.0.0.1 midlets.biz
127.0.0.1 www.midlets.biz
127.0.0.1 mikasakamoto.com
127.0.0.1 mikoni.com
127.0.0.1 militarygods.porn4porn.net
127.0.0.1 millennialpeople.org
127.0.0.1 miosearch.com
127.0.0.1 www.miosearch.com
127.0.0.1 mipham.org
127.0.0.1 mir.100888290cs.com
127.0.0.1 mirarsearch.com
127.0.0.1 www.mirarsearch.com
127.0.0.1 mircosoftantispy.com
127.0.0.1 www.mircosoftantispy.com
127.0.0.1 misofthelp.com
127.0.0.1 www.misofthelp.com
127.0.0.1 missingcommand.com
127.0.0.1 mixsearch.com
127.0.0.1 www.mixsearch.com
127.0.0.1 mjsn.it
127.0.0.1 www.mjsn.it
127.0.0.1 mkataweb.it
127.0.0.1 www.mkataweb.it
127.0.0.1 mksn.it
127.0.0.1 www.mksn.it
127.0.0.1 mmcodec.com
127.0.0.1 www.mmcodec.com
127.0.0.1 mmm.elitemediagroup.net
127.0.0.1 mmmike.com
127.0.0.1 www.mmmike.com
127.0.0.1 mmohsix.com
127.0.0.1 www.mmohsix.com
127.0.0.1 mnsn.it
127.0.0.1 www.mnsn.it
127.0.0.1 mokead.com
127.0.0.1 www.mokead.com
127.0.0.1 mommykiss.com
127.0.0.1 money-advertise.info
127.0.0.1 www.money-advertise.info
127.0.0.1 moneyhunters.com
127.0.0.1 montgomeryhospitalanesthesia.com
127.0.0.1 morflot.com
127.0.0.1 mortgage-debt.net
127.0.0.1 mortismaximus.com
127.0.0.1 moscowwhores.com
127.0.0.1 motioncodecs.com
127.0.0.1 www.motioncodecs.com
127.0.0.1 moviecategories.com
127.0.0.1 moviecodec.net
127.0.0.1 www.moviecodec.net
127.0.0.1 moviecodecs.net
127.0.0.1 www.moviecodecs.net
127.0.0.1 moviereality.com
127.0.0.1 www.moviereality.com
127.0.0.1 movies-codecs.com
127.0.0.1 www.movies-codecs.com
127.0.0.1 moviesdvds.net
127.0.0.1 www.moviesdvds.net
127.0.0.1 movietooklit.com
127.0.0.1 www.movietooklit.com
127.0.0.1 movscodec.com
127.0.0.1 www.movscodec.com
127.0.0.1 mp3bearshare.com
127.0.0.1 www.mp3bearshare.com
127.0.0.1 mp3-morpheus.com
127.0.0.1 www.mp3-morpheus.com
127.0.0.1 mp3musichq.com
127.0.0.1 www.mp3musichq.com
127.0.0.1 mp3-music-source.com
127.0.0.1 www.mp3-music-source.com
127.0.0.1 mp3-muzic.com
127.0.0.1 www.mp3-muzic.com
127.0.0.1 mp3-pix.com
127.0.0.1 mp3winmx.com
127.0.0.1 www.mp3winmx.com
127.0.0.1 mpeg-look.com
127.0.0.1 mrantispy.com
127.0.0.1 www.mrantispy.com
127.0.0.1 mrtg.jps.ru
127.0.0.1 msan.it
127.0.0.1 www.msan.it
127.0.0.1 msantispy.com
127.0.0.1 www.msantispy.com
127.0.0.1 msbn.it
127.0.0.1 www.msbn.it
127.0.0.1 msen.it
127.0.0.1 www.msen.it
127.0.0.1 mshn.it
127.0.0.1 www.mshn.it
127.0.0.1 msjn.it
127.0.0.1 www.msjn.it
127.0.0.1 msmn.it
127.0.0.1 www.msmn.it
127.0.0.1 msnb.it
127.0.0.1 www.msnb.it
127.0.0.1 msnguard.cc
127.0.0.1 msnh.it
127.0.0.1 www.msnh.it
127.0.0.1 msn-info.net
127.0.0.1 msnj.it
127.0.0.1 www.msnj.it
127.0.0.1 msnm.it
127.0.0.1 www.msnm.it
127.0.0.1 mssn.it
127.0.0.1 www.mssn.it
127.0.0.1 msupdate.net
127.0.0.1 www.msupdate.net
127.0.0.1 msupdater.net
127.0.0.1 www.msupdater.net
127.0.0.1 mswn.it
127.0.0.1 www.mswn.it
127.0.0.1 msxn.it
127.0.0.1 www.msxn.it
127.0.0.1 mszn.it
127.0.0.1 www.mszn.it
127.0.0.1 mt-download.com
127.0.0.1 MUAFK.COM
127.0.0.1 www.MUAFK.COM
127.0.0.1 multimediaobject.com
127.0.0.1 www.multimediaobject.com
127.0.0.1 multi-pops.com
127.0.0.1 www.multi-pops.com
127.0.0.1 multipussy.com
127.0.0.1 multitrader.info
127.0.0.1 www.multitrader.info
127.0.0.1 mundopolar.com
127.0.0.1 munky.com
127.0.0.1 www.munky.com
127.0.0.1 musicmatch.free-software-center.com
127.0.0.1 www.musicmatch.free-software-center.com
127.0.0.1 mustv.com
127.0.0.1 mwsn.it
127.0.0.1 www.mwsn.it
127.0.0.1 mxsn.it
127.0.0.1 www.mxsn.it
127.0.0.1 myadultexplorer.com
127.0.0.1 www.myadultexplorer.com
127.0.0.1 mybestsearch2007.com
127.0.0.1 www.mybestsearch2007.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\bxsbang.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{934ACA86-3177-42FD-8A28-7A5EAFA89E67}]
Deleting [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{934ACA86-3177-42FD-8A28-7A5EAFA89E67}]
C:\WINDOWS\kthemup.exe Deleted
C:\WINDOWS\movctrlnkd.dll Deleted
C:\WINDOWS\nssfrch.dll Deleted
C:\WINDOWS\ocgrep.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{6805CF13-F95F-4B1E-B822-7FEABEA2DA72}]
C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\Steve\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Steve\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Steve\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Steve\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Steve\FAVORI~1\Privacy Protector.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DAA35FD3-DB28-46F1-AA3F-185853D51565}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Cool :bigthumb:

  • Go start> Run type cmd and hit OK
  • Type in ipconfig /flushdns then hit enter
    (that space between g and / is needed)
  • Type exit hit enter



Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

How are things running now??
 
:bigthumb::bigthumb::bigthumb:

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
Click to expand...



Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  • Spyware Blaster It will prevent most spyware from ever being installed.
  • Spyware Guard It offers realtime protection from spyware installation attempts.
  • IE-Spyad
    IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
    (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and
    painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs, I
    wouldn't access the internet without it.

Glad we could help

Safe Surfn
Ken
 
You must log in or register to reply here.
Back
Top