displaying advertisments

[leyk17]

enbrowser keeps getting into my computer and displays advertisments till my computer just won't work unless i restart it all the time. every 5 seconds someting comes up.

i have spy sweeper and i quarentine it but it comes back. how do i stop this?

oh, it also might be fullcontext as well.

 

[M0LD0V4N]

Does it happen when you are on the internet if yes go to www.google.com and Search up SmithFraud or Find other posts to know more .. i'm in a hurry right now i'll try to get back at you.

 

[leyk17]

ok thanks.

it happens when im on the internet and when im off. when i get on the computer in the morning, there is about 70 ads on the screen.

 

[M0LD0V4N]

Ok go to Control Panel/Add-Remove/ And search for something containing CiD.
CiD is a Most command Auto Launch Pop Up manager that Launches random popups that get downloaded by CiD.. The Popups are usually Java Based.

Or Download SmithFraud.

 

[ceewi1]

Not necessarily a Smitfraud infection (although very possible), there are number of different types of malware that can cause this infection.

leyk17, please post a HijackThis log which will provide a lot more information.

To do so, please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.

 

[leyk17]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:41 PM, on 10/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchosts.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\ffpisn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINNT\i34yuc387.exe
C:\WINNT\Gwang.exe
C:\WINNT\win32070611223701.exe
C:\Program Files\ComPlus Applications\mexek77798.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\{48F03245-0708-1033-1004-020723200001}\Update.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: WeatherStudio Toolbar - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Elmore Music Messenger] "C:\WINNT\Elmore Music Messenger.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu32.exe 61A847B5BBF72811308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE546321EBC51B793C777502CCE700362EA4EBF968951185EFC41280C9D7DA197C7734672DE26033AAC
O4 - HKLM\..\Run: [SfKg6w] C:\WINNT\ffpisn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch] "C:\Program Files\WinTouch\WinTouch.exe"
O4 - HKLM\..\Run: [i34yuc387] C:\WINNT\i34yuc387
O4 - HKLM\..\Run: [TMT] C:\WINNT\Gwang.exe
O4 - HKLM\..\Run: [win32070611223701] C:\WINNT\win32070611223701.exe
O4 - HKLM\..\Run: [mexek] "C:\Program Files\ComPlus Applications\mexek77798.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [co77RUY3T] iccccp32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [IpWins] "C:\Program Files\Ipwindows\ipwins.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKCU\..\Run: [Insider] "C:\Program Files\Insider\Insider.exe"
O4 - HKCU\..\Run: [WinAble] "C:\Program Files\WinAble\winable.exe"
O4 - HKCU\..\Run: [Words] "C:\Program Files\Words\Words.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKCU\..\Policies\Explorer\Run: [{48F03245-0708-1033-1004-020723200001}] "C:\Program Files\Common Files\{48F03245-0708-1033-1004-020723200001}\Update.exe" te-110-12-0000282
O4 - HKCU\..\Policies\Explorer\Run: [{48F03245-0707-1033-1004-020723200001}] "C:\Program Files\Common Files\{48F03245-0707-1033-1004-020723200001}\Update.exe" te-110-12-0000282
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{48F03245-0707-1033-1004-020723200001}] "C:\Program Files\Common Files\{48F03245-0707-1033-1004-020723200001}\Update.exe" te-110-12-0000282 (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{48F03245-0706-1033-1004-020723200001}] "C:\Program Files\Common Files\{48F03245-0706-1033-1004-020723200001}\Update.exe" te-110-12-0000282 (User 'Default user')
O4 - Startup: csrss.lnk = ?
O4 - Startup: DrAntispy.lnk = C:\Program Files\DrAntispy\DrAntispy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: WWW.PSIAUTO.COM
O16 - DPF: JavaConnect - http://shea.celinainsurance.com/sametime/javaconnect/JavaConnect.cab
O16 - DPF: Yahoo! Spelldown - http://download2.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.psiauto.com/is/root//controls/ScriptX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://www1.foragentsonly.com/internaluse/installfromtheweb2/IFTW_client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08564f9a2e221680e805/netzip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://media.rivals.com/msichat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://ddrint13.gmacinsurance.com/ddrint/work/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O22 - SharedTaskScheduler: dustuck - {4a9e875b-d032-45e4-8294-789fe3be5b19} - C:\WINNT\system32\vgibz.dll (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\system32\svchosts.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\rtelecirtor.html

--
End of file - 15261 bytes

 

[ceewi1]

You have quite a bit of malware on your system!

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please also download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Please paste the contents of the Report.txt back on the forum after completing the following steps.

Please reboot to Safe Mode again (tap F8 just before Windows starts to load and select Safe Mode from the list).

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press Enter to delete infected files.

You will be prompted :

"Registry cleaning - Do you want to clean the registry ?"; answer Yes by typing Y and press Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer Yes by typing Y and press Enter.

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please post:

• Your SDFix report
• Your Smitfraudfix report at C:\rapport.txt
• A new HijackThis log

 

[leyk17]

What should I open SmitfraudFix in?

It gives me a whole list.

 

[M0LD0V4N]

Its a ZIP ..and you cant open it??
Get WinRAR

 

[leyk17]

SDFix: Version 1.109

Run by Administrator on Tue 10/16/2007 at 7:46p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
core

ImagePath:
"C:\WINNT\system32\svchosts.exe" -e te-110-12-0000282
system32\drivers\core.sys

Client IP-IPX - Deleted
core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\system32\bzuzizvgz\csrss.ini - Deleted
C:\WINNT\system32\bzuzizvgz\winlogon.ini - Deleted
C:\Program Files\Words\list.txt - Deleted
C:\Program Files\Words\script.txt - Deleted
C:\Program Files\Words\UnInstall.exe - Deleted
C:\Program Files\Words\Words.exe - Deleted
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss.lnk - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b122.exe - Deleted
C:\WINNT\b122.exe - Deleted
C:\WINNT\b128.exe - Deleted
C:\WINNT\b129.exe - Deleted
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\WINNT\retadpu.exe - Deleted
C:\WINNT\system32\drivers\core.cache.dsk - Deleted
C:\WINNT\system32\drivers\core.sys - Deleted
C:\WINNT\system32\netstat.com - Deleted
C:\WINNT\system32\svchosts.exe - Deleted
C:\WINNT\system32\taskkill.com - Deleted
C:\WINNT\system32\unsvchosts.exe - Deleted
C:\WINNT\tcb.pmw - Deleted
C:\WINNT\Uninst2.htm - Deleted
C:\WINNT\Unist1.htm - Deleted
C:\WINNT\updater.exe - Deleted


Folder C:\Program Files\Words - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 12 Dec 1989 586,352 ..SHR --- "C:\WINNT\qdmwglbA.exe"
Fri 9 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 2 May 2007 76,288 ..SH. --- "C:\WINNT\system32\bzuzizvgz\csrss.exe"

Finished!

........................................................................................................

SmitFraudFix v2.240

Scan done at 20:12:49.39, Tue 10/16/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4a9e875b-d032-45e4-8294-789fe3be5b19}"="dustuck"

[HKEY_CLASSES_ROOT\CLSID\{4a9e875b-d032-45e4-8294-789fe3be5b19}\InProcServer32]
@="C:\WINNT\system32\vgibz.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4a9e875b-d032-45e4-8294-789fe3be5b19}\InProcServer32]
@="C:\WINNT\system32\vgibz.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EB244DD2-893F-449E-95A6-06E1B2217187}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EB244DD2-893F-449E-95A6-06E1B2217187}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EB244DD2-893F-449E-95A6-06E1B2217187}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

........................................................................................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:07 PM, on 10/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINNT\i34yuc387.exe
C:\WINNT\Gwang.exe
C:\WINNT\win32070611223701.exe
C:\Program Files\ComPlus Applications\mexek77798.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: WeatherStudio Toolbar - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Elmore Music Messenger] "C:\WINNT\Elmore Music Messenger.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinTouch] "C:\Program Files\WinTouch\WinTouch.exe"
O4 - HKLM\..\Run: [i34yuc387] C:\WINNT\i34yuc387
O4 - HKLM\..\Run: [TMT] C:\WINNT\Gwang.exe
O4 - HKLM\..\Run: [win32070611223701] C:\WINNT\win32070611223701.exe
O4 - HKLM\..\Run: [mexek] "C:\Program Files\ComPlus Applications\mexek77798.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [co77RUY3T] iccccp32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKCU\..\Run: [Insider] "C:\Program Files\Insider\Insider.exe"
O4 - HKCU\..\Run: [WinAble] "C:\Program Files\WinAble\winable.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: DrAntispy.lnk = C:\Program Files\DrAntispy\DrAntispy.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: WWW.PSIAUTO.COM
O16 - DPF: JavaConnect - http://shea.celinainsurance.com/sametime/javaconnect/JavaConnect.cab
O16 - DPF: Yahoo! Spelldown - http://download2.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.psiauto.com/is/root//controls/ScriptX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://www1.foragentsonly.com/internaluse/installfromtheweb2/IFTW_client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08564f9a2e221680e805/netzip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://media.rivals.com/msichat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://ddrint13.gmacinsurance.com/ddrint/work/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10936 bytes

 

[ceewi1]

Please run HijackThis and choose Do a System Scan Only.

Place a check next to the following entries:

• R3 - URLSearchHook: (no name) - - (no file)
• O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
• O4 - HKLM\..\Run: [WinTouch] "C:\Program Files\WinTouch\WinTouch.exe"
• O4 - HKLM\..\Run: [i34yuc387] C:\WINNT\i34yuc387
• O4 - HKLM\..\Run: [TMT] C:\WINNT\Gwang.exe
• O4 - HKLM\..\Run: [win32070611223701] C:\WINNT\win32070611223701.exe
• O4 - HKLM\..\Run: [mexek] "C:\Program Files\ComPlus Applications\mexek77798.exe"
• O4 - HKCU\..\Run: [co77RUY3T] iccccp32.exe
• O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
• O4 - HKCU\..\Run: [WinAble] "C:\Program Files\WinAble\winable.exe"
• O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background
• O4 - Startup: DrAntispy.lnk = C:\Program Files\DrAntispy\DrAntispy.exe
• O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08564f9a2e22168...p/RdxIE601.cab
• O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
• O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/...tdmgainads.cab

Please close all open windows except for HijackThis and choose Fix checked

Please delete the following files:

• C:\WINNT\i34yuc387
• C:\WINNT\Gwang.exe
• C:\WINNT\win32070611223701.exe
• C:\Program Files\ComPlus Applications\mexek77798.exe

Please delete the following folders:

• C:\Program Files\WinTouch
• C:\Program Files\WinAble
• C:\Program Files\WinUpdater
• C:\Program Files\DrAntispy

Please reboot and post a new HijackThis log.

 

[leyk17]

Where do I go to delete the C:/WINNT files?

 

[ceewi1]

Try going into My Computer, double clicking on C:\ and double clicking on the WINNT folder and seeing if the files are there. If that fails, try this (after performing the HijackThis fixes):

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\i34yuc387
C:\WINNT\Gwang.exe
C:\WINNT\win32070611223701.exe
C:\Program Files\ComPlus Applications\mexek77798.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot your computer. This should delete the offending files for you. Delete the folders I mentioned and post a new log.

 

[leyk17]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:50 AM, on 10/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: WeatherStudio Toolbar - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Elmore Music Messenger] "C:\WINNT\Elmore Music Messenger.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Insider] "C:\Program Files\Insider\Insider.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: WWW.PSIAUTO.COM
O16 - DPF: JavaConnect - http://shea.celinainsurance.com/sametime/javaconnect/JavaConnect.cab
O16 - DPF: Yahoo! Spelldown - http://download2.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.psiauto.com/is/root//controls/ScriptX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://www1.foragentsonly.com/internaluse/installfromtheweb2/IFTW_client/iftwclix.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://media.rivals.com/msichat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://ddrint13.gmacinsurance.com/ddrint/work/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9478 bytes

 

[ceewi1]

Excellent, a few last things to remove. Please download AVG Anti-Spyware from HERE and save that file to your desktop.

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update".
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Do not automatically generate reports"
   • Un-Select "Only if threats were found"
7. Run a complete system scan with AVG Anti-Spyware.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
8. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
9. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
10. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
11. If you have any infections you will prompted, then select "Apply all actions"
12. Next select the "Reports" icon at the top.
13. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
14. Close AVG Anti-Spyware and post the logfile you saved here.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

Please download one of the above programs and allow it to do a complete scan of your PC.

 

[leyk17]

Thank you SOOO much. My computer is performing the best it has ever done.

You are a life saver!

We couldn't get anti-virus systems before because our current program is outdated and won't protect us from viruses.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:53:28 AM 10/20/2007

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Program Files\WeatherStudio348\Setup.exe -> Adware.Comet : Cleaned with backup (quarantined).
C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071017-064951-182.dll -> Adware.Coupons : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{38F03245-0707-1033-1004-020723200001}\UnInstall.exe -> Adware.IWantSearch : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{38F03245-0707-1033-1004-020723200001}\Bar888.dll -> Adware.Lucky : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{48F03245-0706-1033-1004-020723200001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{48F03245-0707-1033-1004-020723200001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{48F03245-0708-1033-1004-020723200001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/b122.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/b129.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\My Documents\My Received Files\IMG-2332.zip/img0794-www.photoupload.com -> Backdoor.IRCBot.ahm : Cleaned with backup (quarantined).
C:\Program Files\WinAble\winable.exe -> Downloader.Adload.lv : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/retadpu.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/updater.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINNT\ffpisn.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/b128.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\WINNT\qdmwglb.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KT1PN4AQ\pqwxzdsewrfewoityqwexzasx[1].htm -> Dropper.Small.j : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\419S0WAU\acdt-pid70[1].exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JAJPTL3J\147[1].net -> Trojan.Agent.bnd : Cleaned with backup (quarantined).
C:\Program Files\Insider\Insider.exe -> Trojan.Agent.bnd : Cleaned with backup (quarantined).
C:\Program Files\Insider\UnInstall.exe -> Trojan.Agent.bnd : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/UnInstall.exe -> Trojan.Agent.bnd : Cleaned with backup (quarantined).
[1084] C:\Program Files\Insider\Insider.exe -> Trojan.Agent.bnd : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/unsvchosts.exe -> Trojan.Small.mf : Cleaned with backup (quarantined).
C:\WINNT\system32\bzuzizvgz\csrss.exe -> Worm.VB.at : Cleaned with backup (quarantined).


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:55 PM, on 10/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: WeatherStudio Toolbar - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Elmore Music Messenger] "C:\WINNT\Elmore Music Messenger.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Insider] "C:\Program Files\Insider\Insider.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: WWW.PSIAUTO.COM
O16 - DPF: JavaConnect - http://shea.celinainsurance.com/sametime/javaconnect/JavaConnect.cab
O16 - DPF: Yahoo! Spelldown - http://download2.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.psiauto.com/is/root//controls/ScriptX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://www1.foragentsonly.com/internaluse/installfromtheweb2/IFTW_client/iftwclix.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://media.rivals.com/msichat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://ddrint13.gmacinsurance.com/ddrint/work/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9834 bytes

 

[ceewi1]

Glad to help, your logfile is now clean. There are a couple of deactivated entries that are not malicious but should be removed:

Please run HijackThis and choose Do a System Scan Only.

Place a check next to the following entries:

• O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll (file missing)
• O3 - Toolbar: WeatherStudio Toolbar - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll (file missing)

Please close all open windows except for HijackThis and choose Fix checked

I would also suggest deleting the C:\SDFix folder which contains backups of some of the malware we removed.

I would also suggest clearing out your old System Restore points, as these will be infected as well. To do so, click Start->Control Panel->System, System restore. Tick "Turn off System Restore" and reboot. That will erase all restore points. After reboot, go back in and turn System Restore back on.

With regards to the antivirus situation, if your old antivirus has expired I would suggest uninstalling it and installing one of the alternatives I suggested above. Without a working, up to date antivirus program you are almost guaranteed to become infected again.