Author Topic: Spyware infected my computer (Read 3965 times)

resevil83 · « **on:** June 14, 2006, 11:11:21 PM »

I have spyware on my computer. I will get a red sheild in the bottom of my screen, it say's it's norton's antivirus thing but it doesn't look right to me. I know it's not because it will pop up and go away. Then again it's in the actual running system tray part (bottom right of the screen on the taskbar) Anyways I'll get ad's like get 1000.00 free bonus cash at Moaco Gold Casino, sometimes I'll get several ad's that say you have spyware click here to get rid of it. OR download this program to get rid of it. In my start menu there is now an online security guide blue sheild and a green sheild that says security troubleshooting. These popped up after the windows alert system popped up.

Please help!

BTW IE does not work. (Using Mozilla)

Logfile of HijackThis v1.99.1
Scan saved at 11:02:12 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
G:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\bf33bc31.exe
C:\WINDOWS\system32\1cb16dfe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\svdsrv.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\DOCUME~1\MICHAE~1\MYDOCU~1\SSTEM3~1\nslookup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bf33bc31.exe] C:\WINDOWS\system32\bf33bc31.exe
O4 - HKLM\..\Run: [1cb16dfe.exe] C:\WINDOWS\system32\1cb16dfe.exe
O4 - HKLM\..\Run: [svdsrv] C:\WINDOWS\svdsrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [bf33bc31.exe] C:\Documents and Settings\Michael Bert\Local Settings\Application Data\bf33bc31.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\MICHAE~1\MYDOCU~1\SSTEM3~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Wlyzu] C:\DOCUME~1\MICHAE~1\APPLIC~1\CROSOF~1.NET\WAUCLT~1.EXE
O4 - HKCU\..\Run: [1cb16dfe.exe] C:\Documents and Settings\Michael Bert\Local Settings\Application Data\1cb16dfe.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class) - https://www.web-a-file.com/webafiledownloader.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/...3008c54b810aed3
O20 - AppInit_DLLs: wowexec.dll C:\WINDOWS\system32\wowexec.dll
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Unknown owner - C:\WINDOWS\system32\RioMSC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #1 on:** June 15, 2006, 05:28:33 PM »

Sorry for the delay, can you do the following please

Download and unzip to your desktop InstalledPrograms.zip
Double click on InstalledPrograms.vbs
If you get a prompt from your Anti-Virus, please ALLOW this script too run
We are just collecting information

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents please

Afterwards,
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the contents of that report also into your next reply.

resevil83 · « **Reply #2 on:** June 17, 2006, 01:46:43 AM »

This is the second procedure you wanted me to do, I tried the first and every time I hit ok, nothing happened.
I'll try restarting and doing it again.

SmitFraudFix v2.61

Scan done at 1:44:43.79, Sat 06/17/2006
Run from C:\Documents and Settings\Michael Bert\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp?

.tmp FOUND !
C:\WINDOWS\system32\ld?

.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael Bert\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"

[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #3 on:** June 17, 2006, 11:52:47 AM »

Sorry for the delay
Can you do the following please, let's see if Norton's is interfering with installedprograms.vbs

1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.
Please leave this disabled until after we have you clean please

If you still can't get it to run
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST... button
Save the list to desktop then come back here and copy, paste the whole contents please

resevil83 · « **Reply #4 on:** June 17, 2006, 01:53:50 PM »

Worked like a charm!

INSTALLED SOFTWARE (211) - BERT-VVX88VYRXO - 6/17/2006 1:52:55 PM

7200   Ver: 47.0.1.000   Installed: 6/4/2005
7200Trb   Ver: 47.0.1.000   Installed: 6/4/2005
Ad-Aware SE Personal   Ver: 1.06
Adobe Acrobat - Reader 6.0.2 Update   Ver: 6.0.2   Installed: 11/26/2004
Adobe Acrobat and Reader 6.0.3 Update   Ver: 6.0.3   Installed: 2/19/2005
Adobe After Effects 6.5   Ver: 6.5   Installed: 3/1/2006
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Audition 1.5   Ver: 1.5   Installed: 4/26/2005
Adobe Bridge 1.0   Ver: 001.000.000   Installed: 4/16/2006
Adobe Common File Installer   Ver: 1.00.0000   Installed: 4/16/2006
Adobe Encore DVD 1.5   Ver: 1.5
Adobe Help Center 1.0   Ver: 001.000.000   Installed: 4/16/2006
Adobe Illustrator CS   Ver: 11
Adobe InDesign CS2   Ver: 004.000.000
Adobe InDesign CS2   Ver: 004.000.000   Installed: 3/4/2006
Adobe MPEG Encoder   Ver: 1.03.0000   Installed: 10/12/2005
Adobe Photoshop CS   Ver: CS
Adobe Photoshop CS2   Ver: 9.0
Adobe Photoshop CS2   Ver: 9.0   Installed: 4/16/2006
Adobe Premiere 6.5   Ver: 6.5
Adobe Reader 6.0.1   Ver: 006.000.001   Installed: 6/19/2004
Adobe Stock Photos 1.0   Ver: 001.000.000   Installed: 4/16/2006
Adobe SVG Viewer 3.0   Ver: 3.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AiO_Scan   Ver: 47.0.1.000   Installed: 6/4/2005
AiOSoftware   Ver: 47.0.1.000   Installed: 6/4/2005
AnyDVD
AOL Instant Messenger
Atlantis   Ver: 1.50   Installed: 8/22/2004
AutoUpdate   Ver: 1.1
Azureus   Ver: 2.3.0.4
BCM V.92 56K Modem
BufferChm   Ver: 45.4.157.000   Installed: 6/4/2005
CC_ccStart   Ver: 2.1.0.610   Installed: 8/23/2004
ccCommon   Ver: 2.1.0.610   Installed: 8/23/2004
CleanUp!
ConvertXtoDVD 2.0.4   Ver: 2.0.4
Copy   Ver: 45.4.157.000   Installed: 6/4/2005
Cowabanga by OIN
CP_AtenaShokunin1Config   Ver: 45.4.131.000   Installed: 6/4/2005
cp_dwShrek2Albums1   Ver: 45.4.157.000   Installed: 6/4/2005
cp_dwShrek2Cards1   Ver: 45.4.157.000   Installed: 6/4/2005
Creative Jukebox Driver
Creative MediaSource   Ver: 3.00
CreativeProjects   Ver: 45.4.157.000   Installed: 6/4/2005
CreativeProjectsTemplates   Ver: 45.4.157.000   Installed: 6/4/2005
CueTour   Ver: 45.4.157.000   Installed: 6/4/2005
CuteFTP 7 Professional   Ver: 7.00.0000
Dell Movie Studio Diagnostics   Ver: 1.50   Installed: 8/22/2004
Dell ResourceCD
Destinations   Ver: 45.4.157.000   Installed: 6/4/2005
Director   Ver: 45.4.157.000   Installed: 6/4/2005
DivX   Ver: 5.2.1
DivX Player   Ver: 6.0
DocProc   Ver: 4.5.0.0   Installed: 6/4/2005
DocumentViewer   Ver: 45.4.157.000   Installed: 6/4/2005
DVD Decrypter (Remove Only)
DVD Shrink 3.2
dvdSanta 3.42
DVDuck
Elecard MPEG2 Player 2.0   Ver: 2.0   Installed: 08/25/2004
EPSON Online Reference Guide
EPSON Printer Software
Fax   Ver: 47.0.1.000   Installed: 6/4/2005
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard   Ver: 1.1.1905.1   Installed: 8/8/2004
HijackThis 1.99.1   Ver: 1.99.1
HP Image Zone 4.7   Ver: 4.7
HP Product Assistant   Ver: 2.0.0.0   Installed: 6/4/2005
HP PSC & OfficeJet 4.7
HP Software Update   Ver: 3.0.5.001   Installed: 2/11/2006
HPSystemDiagnostics   Ver: 1.6.0.0   Installed: 6/4/2005
InstantShare   Ver: 45.4.157.000   Installed: 6/4/2005
Intel® PRO Ethernet Adapter and Software
iTunes   Ver: 6.0.4.2   Installed: 3/14/2006
iTunes   Ver: 6.0.4.2   Installed: 3/14/2006
J2SE Runtime Environment 5.0 Update 1   Ver: 1.5.0.10   Installed: 4/25/2005
J2SE Runtime Environment 5.0 Update 2   Ver: 1.5.0.20   Installed: 4/25/2005
J2SE Runtime Environment 5.0 Update 4   Ver: 1.5.0.40   Installed: 8/20/2005
LimeWire 4.8.1   Ver: 4.8.1
LiveReg (Symantec Corporation)   Ver: 2.4.2.2295
LiveUpdate 3.0 (Symantec Corporation)   Ver: 3.0.0.160
Macromedia Dreamweaver 8   Ver: 8.0.0.2734   Installed: 9/21/2005
Macromedia Extension Manager   Ver: 1.7.240   Installed: 9/21/2005
Macromedia Flash 8   Ver: 8.00.0000   Installed: 10/26/2005
Macromedia Flash 8 Video Encoder   Ver: 1.00.0000   Installed: 10/26/2005
Macromedia Flash Player 8   Ver: 8
Macromedia Flash Player 8   Ver: 8.0.22.0   Installed: 10/26/2005
Macromedia Flash Player 8 Plugin   Ver: 8.0.22.0   Installed: 10/26/2005
Macromedia Shockwave Player
Microsoft .NET Framework 1.1   Ver: 1.1.4322   Installed: 5/24/2005
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage   Ver: 10.0.2627.0   Installed: 1/17/2006
Microsoft Script Debugger
Mozilla Firefox (1.0.7)   Ver: 1.0.7 (en-US)
MSRedist   Ver: 1.0.0.0   Installed: 8/23/2004
Nero 6 Ultra Edition
Nero 7 Demo   Ver: 7.00.1461   Installed: 4/8/2006
Nikon View 5
Norton AntiVirus 2004   Ver: 10.00.13   Installed: 8/23/2004
Norton AntiVirus 2004 (Symantec Corporation)   Ver: 10.00.13
Norton AntiVirus Parent MSI   Ver: 10.0.10   Installed: 8/23/2004
Norton AntiVirus SYMLT MSI   Ver: 10.0.10   Installed: 8/23/2004
Norton WMI Update   Ver: 2005.1.0.111   Installed: 8/30/2004
Palm Desktop   Ver: 4.1.0300   Installed: 8/25/2004
PanoStandAlone   Ver: 45.4.157.000   Installed: 6/4/2005
PCFriendly
PhotoGallery   Ver: 45.4.157.000   Installed: 6/4/2005
ProductContext   Ver: 47.0.1.000   Installed: 6/4/2005
QFolder   Ver: 1.00.0000   Installed: 6/4/2005
Quicken 2005   Ver: 14.00.0000   Installed: 3/28/2005
Quicken 2005   Ver: 14.00.0000   Installed: 3/28/2005
QuickTime   Ver: 7.0.4   Installed: 3/14/2006
QuickTime   Ver: 7.0.4   Installed: 3/14/2006
Readme   Ver: 47.0.1.000   Installed: 6/4/2005
RealPlayer
Roxio Easy DVD Copy   Ver: 7.0.1.84   Installed: 9/30/2004
Roxio VideoWave Movie Creator   Ver: 1.6.635.0   Installed: 8/22/2004
Scan   Ver: 4.5.0.0   Installed: 6/4/2005
ScannerCopy   Ver: 4.5.0.0   Installed: 6/4/2005
Security Update for Windows Media Player (KB911564)      Installed: 2/19/2006
Security Update for Windows Media Player 10 (KB911565)      Installed: 2/19/2006
Security Update for Windows XP (KB883939)   Ver: 1   Installed: 6/19/2005
Security Update for Windows XP (KB890046)   Ver: 1   Installed: 6/19/2005
Security Update for Windows XP (KB893756)   Ver: 1   Installed: 8/14/2005
Security Update for Windows XP (KB896358)   Ver: 1   Installed: 6/19/2005
Security Update for Windows XP (KB896422)   Ver: 1   Installed: 6/19/2005
Security Update for Windows XP (KB896423)   Ver: 1   Installed: 8/14/2005
Security Update for Windows XP (KB896424)   Ver: 1   Installed: 11/13/2005
Security Update for Windows XP (KB896428)   Ver: 1   Installed: 6/19/2005
Security Update for Windows XP (KB896688)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB899587)   Ver: 1   Installed: 8/14/2005
Security Update for Windows XP (KB899588)   Ver: 1   Installed: 8/14/2005
Security Update for Windows XP (KB899591)   Ver: 1   Installed: 8/14/2005
Security Update for Windows XP (KB900725)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB901017)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB901214)   Ver: 1   Installed: 7/17/2005
Security Update for Windows XP (KB902400)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB903235)   Ver: 1   Installed: 7/17/2005
Security Update for Windows XP (KB904706)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB905414)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB905749)   Ver: 1   Installed: 10/16/2005
Security Update for Windows XP (KB905915)   Ver: 1   Installed: 12/18/2005
Security Update for Windows XP (KB908519)   Ver: 1   Installed: 1/15/2006
Security Update for Windows XP (KB908531)   Ver: 1   Installed: 4/16/2006
Security Update for Windows XP (KB911562)   Ver: 1   Installed: 4/16/2006
Security Update for Windows XP (KB911567)   Ver: 1   Installed: 4/16/2006
Security Update for Windows XP (KB911927)   Ver: 1   Installed: 2/19/2006
Security Update for Windows XP (KB912812)   Ver: 1   Installed: 4/16/2006
Security Update for Windows XP (KB912919)   Ver: 1   Installed: 1/8/2006
Security Update for Windows XP (KB913446)   Ver: 1   Installed: 2/19/2006
Security Update for Windows XP (KB913580)   Ver: 1   Installed: 5/14/2006
Shockwave
SkinsHP1   Ver: 45.4.157.000   Installed: 6/4/2005
SmartFTP Client 2.0   Ver: 2.0.996   Installed: 4/8/2006
SmartFTP Client 2.0 Setup Files (remove only)   Ver: "2.0"
Sony ACID Pro 5.0   Ver: 5.0.265   Installed: 5/24/2005
Sound Blaster Live!
Spybot - Search & Destroy 1.4   Ver: 1.4
SpywareBlaster v3.4   Ver: 3.4.0
Symantec Network Drivers Update   Ver: 5.5.1.6   Installed: 5/10/2005
Symantec Script Blocking Installer   Ver: 1.0.0   Installed: 8/23/2004
SymNet   Ver: 4.7.1   Installed: 8/23/2004
TrayApp   Ver: 45.4.157.000   Installed: 6/4/2005
Ultimatte AdvantEdge
Unload   Ver: 4.5.0   Installed: 6/4/2005
Update for Windows XP (KB894391)   Ver: 1   Installed: 8/14/2005
Update for Windows XP (KB896727)   Ver: 1   Installed: 8/14/2005
Update for Windows XP (KB898461)   Ver: 1   Installed: 7/3/2005
Update for Windows XP (KB900485)   Ver: 2   Installed: 4/30/2006
Update for Windows XP (KB910437)   Ver: 1   Installed: 12/18/2005
VP6 VFW Codec
WebFldrs XP   Ver: 9.50.6513   Installed: 6/16/2004
WebReg   Ver: 45.4.157.000   Installed: 6/4/2005
WIBU-KEY Setup (WIBU-KEY Remove)   Ver: Version 3.10 of 2001-Sep-27 (Setup)   Installed: 3/6/2022
Winamp (remove only)
WinAVI VideoConverter
Windows Installer 3.1 (KB893803)   Ver: 3.1
Windows Installer 3.1 (KB893803)   Ver: 3.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707   Ver: 20040929.110854
Windows XP Hotfix - KB867282   Ver: 20050127.090417
Windows XP Hotfix - KB873333   Ver: 20050114.005213
Windows XP Hotfix - KB873339   Ver: 20041117.092459
Windows XP Hotfix - KB885250   Ver: 20050118.202711
Windows XP Hotfix - KB885835   Ver: 20041027.181713
Windows XP Hotfix - KB885836   Ver: 20041028.173203
Windows XP Hotfix - KB885884   Ver: 20040924.025457
Windows XP Hotfix - KB886185   Ver: 20041021.090540
Windows XP Hotfix - KB887472   Ver: 20041014.162858
Windows XP Hotfix - KB887742   Ver: 20041103.095002
Windows XP Hotfix - KB888113   Ver: 20041116.131036
Windows XP Hotfix - KB888302   Ver: 20041207.111426
Windows XP Hotfix - KB890047   Ver: 20041221.124506
Windows XP Hotfix - KB890175   Ver: 20041201.233338
Windows XP Hotfix - KB890859   Ver: 1   Installed: 4/17/2005
Windows XP Hotfix - KB890923   Ver: 1   Installed: 4/17/2005
Windows XP Hotfix - KB891781   Ver: 20050110.165439
Windows XP Hotfix - KB893066   Ver: 1   Installed: 4/17/2005
Windows XP Hotfix - KB893086   Ver: 1   Installed: 4/17/2005
Windows XP Service Pack 2   Ver: 20040803.231319
WinPcap 3.1 beta3      Installed: 11/24/2004
WinRAR archiver
WinZip   Ver: 9.0 (6028)
WordPerfect Office 2002
WordPerfect Office 2002   Ver: 10   Installed: 6/22/2004
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
Yahoo! Toolbar
Yahoo! Toolbar
YazzleActiveX By OIN   Ver: 1.0

bathfrog · « **Reply #5 on:** June 17, 2006, 02:09:33 PM »

I have the same problem. Except that a small box appears and disappears on my bottom toolbar saying "Critical system error. Your computer is infected bla bla. Click here to download the appropriate software." And it also is redirecting my homepage. Please help me too!

<LOG REMOVED by guestolo>
bathfrog, please don't jump into someone else's topic, it's far too confusing
Start your own topic and supply a fresh hijackthis log

guestolo · « **Reply #6 on:** June 17, 2006, 02:18:19 PM »

Can you do the following please

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" UNCHECK

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Disable SpywareDoctor's protections as it may interfere with any fixes we try
To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

Access your add/remove programs and remove all the following
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
The above are all old versions or updates of Java, we will update this in a bit

Then continue to remove
Cowabanga by OIN
and
YazzleActiveX By OIN

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
CleanUp, may prompt to run in Demo mode the first time ran, decline, we actually want to run the cleanup portion
When it's done>>Click Close
DECLINE to Log off or Restart the computer

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

If a reboot was required, reboot back to safe mode
If it wasn't required, remain in safe mode

==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp

O4 - HKLM\..\Run: [bf33bc31.exe] C:\WINDOWS\system32\bf33bc31.exe
O4 - HKLM\..\Run: [1cb16dfe.exe] C:\WINDOWS\system32\1cb16dfe.exe
O4 - HKLM\..\Run: [svdsrv] C:\WINDOWS\svdsrv.exe

O4 - HKCU\..\Run: [bf33bc31.exe] C:\Documents and Settings\Michael Bert\Local Settings\Application Data\bf33bc31.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\MICHAE~1\MYDOCU~1\SSTEM3~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Wlyzu] C:\DOCUME~1\MICHAE~1\APPLIC~1\CROSOF~1.NET\WAUCLT~1.EXE
O4 - HKCU\..\Run: [1cb16dfe.exe] C:\Documents and Settings\Michael Bert\Local Settings\Application Data\1cb16dfe.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/...3008c54b810aed3
O20 - AppInit_DLLs: wowexec.dll C:\WINDOWS\system32\wowexec.dll
O20 - Winlogon Notify: winysd32 - C:\WINDOWS\SYSTEM32\winysd32.dll

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Let's update Java
Go to the following link
http://www.java.com/en/download/manual.jsp
Download and save to desktop the Windows OFFLINE installation
Double click on the installer and follow the prompts to install the latest version of Java
Once installed you can delete the installer saved to desktop

Post back the following:
1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'
3. Post the contents of the log from Smitfraudfix located here>>C:\Rapport.txt

resevil83 · « **Reply #7 on:** June 17, 2006, 09:00:17 PM »

Logfile of HijackThis v1.99.1
Scan saved at 8:59:13 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
G:\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class) - https://www.web-a-file.com/webafiledownloader.cab
O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Unknown owner - C:\WINDOWS\system32\RioMSC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         8:40:29 PM, 6/17/2006
+ Report-Checksum:      D502F4A8

+ Scan result:

   HKLM\SOFTWARE\tsvcin -> Adware.Look2Me : Cleaned with backup
   HKU\S-1-5-21-527237240-448539723-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup
   [216] C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.vg : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\0lql2m8c.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\0lql2m8c.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\0lql2m8c.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Michael Bert\Local Settings\Application Data\bf33bc31.exe -> Downloader.Obfuscated.a : Cleaned with backup
   C:\WINDOWS\system32\bf33bc31.exe -> Downloader.Obfuscated.a : Cleaned with backup
   C:\WINDOWS\system32\New Folder\rmzdzx.dll -> Not-A-Virus.Hoax.Win32.Renos.dp : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-1278500125.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-2629912307.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-2809625891.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-2831234109.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-623154993.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-933574426.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-1001-77.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\file-1001-82.sig -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\P2P Networking\Cache\Database\index256.dbb -> Adware.P2PNetworking : Cleaned with backup
   C:\WINDOWS\system32\winysd32.dll -> Trojan.Agent.vg : Cleaned with backup

::Report End

SmitFraudFix v2.61

Scan done at 19:05:47.62, Sat 06/17/2006
Run from C:\Documents and Settings\Michael Bert\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"

[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld?

.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\MICHAE~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\rmzdzx.dll -> Missing File

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #8 on:** June 17, 2006, 10:30:27 PM »

If you find these files can you delete them please
Exact file names and locations
C:\WINDOWS\system32\wowexec.dll <-file>>Do NOT delete wowexec.exe
C:\WINDOWS\system32\1cb16dfe.exe <-file
C:\WINDOWS\svdsrv.exe <-file

Do a "System scan only" with Hijackthis and put a check next to these entries:

O20 - Winlogon Notify: winysd32 - winysd32.dll (file missing)

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Come back here and post one last hijackthis log and let me know how things are running please

resevil83 · « **Reply #9 on:** June 18, 2006, 05:19:57 AM »

Everything seems pretty good... They look ok?

Logfile of HijackThis v1.99.1
Scan saved at 5:19:38 AM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class) - https://www.web-a-file.com/webafiledownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Unknown owner - C:\WINDOWS\system32\RioMSC.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #10 on:** June 18, 2006, 09:43:58 AM »

Looks good

If everything is running better

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b]
Your version of SpywareBlaster is out of date
Let's update it, Open SpywareBlaster 3.4>>Disable All Protection
Close SpywareBlaster
Access your add/remove programs and remove SpywareBlaster 3.4
Afterwards,
[/indent]
*Install SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Make sure your Firewall is enabled and running
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition: Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update

Most Important:
*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure

+Ewido will become a free limited version after a couple weeks
Decide whether to keep it or not, it is a great scanner to update and run once a month
CleanUp!>>Again optional to hold onto, great in cleaning temp files, cookies, etc...

+You can reenable Norton's script blocking and Spyware Doctor's protections if still disabled
Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

resevil83 · « **Reply #11 on:** June 18, 2006, 11:09:15 PM »

one last thing, when I restart my computer and get to the main windows screen... a thing comes up saying, installing photo gallery. And I always click cancel, it trys to do it like 3 times... It kind of slows the startup of the computer, any idea what's up with that? And what does system restore point really do? Does it account for all the information on your hard drives?

guestolo · « **Reply #12 on:** June 19, 2006, 07:48:01 AM »

You can find lot's of info on System Restore with Google

Quote

when I restart my computer and get to the main windows screen... a thing comes up saying, installing photo gallery

Let's deal with that problem
One of the programs set to run on startup appears to want to install this

Try and track down which one

Go to START>>RUN>>Type in
msconfig
Hit OK
Under the startup tab

Uncheck everything you don't need on startup
DON'T uncheck entries related too
your Anti-virus or spyware programs, they won't be the cause

Apply and close, reboot the computer
Do you still get the prompt to install photo gallery
If not, by trial and error, you will have to determine which program set to run on startup is responsible
My bet would be something related to HP's Imaging software, but that's a guess

guestolo · « **Reply #13 on:** July 23, 2006, 10:59:43 PM »

This thread is now closed
All others, please start your own topic

TheTechGuide Forum

News:

Author Topic: Spyware infected my computer (Read 3965 times)

resevil83

Spyware infected my computer

guestolo

Spyware infected my computer

resevil83

Spyware infected my computer

guestolo

Spyware infected my computer

resevil83

Spyware infected my computer

bathfrog

Spyware infected my computer

guestolo

Spyware infected my computer

resevil83

Spyware infected my computer

guestolo

Spyware infected my computer

resevil83

Spyware infected my computer

guestolo

Spyware infected my computer

resevil83

Spyware infected my computer

guestolo

Spyware infected my computer

guestolo

Spyware infected my computer