Virus Alert wont go away

[Synthetic]

So my better half was doing some searching and downloaded a virus. yes I know. lame. But now windows is giving me this warning that says "your computer is infected!" I go to click the "X" in the corner of the pop up notification and it installs this contravirus program that does a scan everytime then tells me I need to pay for it to do anything. Various tries to remove this contravirus with the add remove programs section of the computer and it still shows up with the same pop up. I'm thinkin its the virus playin with my computer http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' />

Any Idea on how to kill this infestation? Heres the log.
Logfile of HijackThis v1.99.1
Scan saved at 8:56:14 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\xpuupdate.exe
C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1181178493\ee\aolsoftware.exe
c:\program files\common files\aol\1181178493\ee\aolssc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOLDOW~1\SSC_SU~1\21054~1.4\suite\setup.exe
C:\Documents and Settings\user1\My Documents\user1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IEExtension Class - {DBE5BEE8-F032-11DB-826A-C4BB56D89593} - C:\Program Files\ContraVirus\secieaddin.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O3 - Toolbar: Ad-Protect Toolbar - {EA038DDD-0FE0-41f5-BA60-FC3660529E71} - C:\Program Files\ContraVirus\ToolBand.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINDOWS\system32\xpuupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1181178493\ee\SSCRun.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [SSCSUD] regsvr32.exe /S
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177463649433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177465159117
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[guestolo]

Hi again Synthetic, you have a new variant of Smitfraud that I don't think has been added to the fix yet
But can you post these logs to get more info

1. supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

2. If you have an older version of Smitfraudfix, delete it
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

3. If you have an older version of Combofix, delete it
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix as well as a fresh hijackthis log please

[Synthetic]

hijackthis Uninstall list
Abexo Free Registry Cleaner
Active Virus Shield
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
Ahead InCD
Ahead InCD EasyWrite Reader
Ahead NeroMediaPlayer
AOL Instant Messenger
AOL Security Toolbar
AOL Uninstaller (Choose which Products to Remove)
AVG Anti-Spyware 7.5
CA Pest Patrol Realtime Protection
C-Media WDM Audio Driver
Data Lifeguard Tools
Guild Wars
iTunes
Java(tm) SE Runtime Environment 6 Update 1
LimeWire 4.12.11
MaxBlast 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Mozilla Firefox (2.0.0.4)
MSXML 6.0 Parser
Nero - Burning Rom
NVIDIA Drivers
QuickTime
Ragnarok Sakray
RealPlayer
Realtek AC'97 Audio
Safety and Security Center Uninstaller
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Spybot - Search & Destroy 1.4
Tales of Pirates Online 1.33
Trickster Online
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Viewpoint Media Player
Winamp (remove only)
Windows Communication Foundation
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
ZNRO Client 0505
Zune Desktop Theme

Smitfraudfix rapport
SmitFraudFix v2.192

Scan done at 10:53:05.63, Fri 06/08/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\xpuupdate.exe
C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1181178493\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user1\My Documents\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video ActiveX Access\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA PCI 10/100Mb Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.78.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Combofix log[/u]
"user1" - 2007-06-08 10:53:44    Service Pack 2  NTFS  
ComboFix 07-06-3B - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\video activex access


(((((((((((((((((((((((((   Files Created from 2007-05-08 to 2007-06-08  )))))))))))))))))))))))))))))))


2007-06-08 10:53   2,678   --a------   C:\WINDOWS\system32\tmp.reg
2007-06-08 10:52   53,248   --a------   C:\WINDOWS\system32\Process.exe
2007-06-08 10:52   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2007-06-08 10:52   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2007-06-06 18:12   <DIR>   d--------   C:\Program Files\Common Files\Scanner
2007-06-06 18:11   80,640   --a------   C:\WINDOWS\system32\drivers\MpFirewall.sys
2007-06-06 18:11   8,704   --a------   C:\WINDOWS\system32\MPFApi.dll
2007-06-06 18:11   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\McAfee.com Personal Firewall
2007-06-06 18:11   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-06-06 18:11   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\mcafee.com personal firewall
2007-06-06 18:10   <DIR>   d--------   C:\Program Files\mcafee.com
2007-06-06 18:10   <DIR>   d--------   C:\Program Files\Common Files\McAfee
2007-06-06 18:10   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-06-06 18:09   <DIR>   d--------   C:\Program Files\CA
2007-06-06 18:09   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\AOL
2007-06-06 18:08   <DIR>   d--------   C:\Program Files\Common Files\aolshare
2007-06-06 18:08   <DIR>   d--------   C:\Program Files\Common Files\AOL
2007-06-06 17:58   <DIR>   d--------   C:\Program Files\MRBDG
2007-06-06 17:31   <DIR>   d--------   C:\BFU
2007-06-06 12:00   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\AdProtect NoSpam
2007-06-06 11:58   <DIR>   d--------   C:\Program Files\ContraVirus
2007-06-06 11:57   54,784   --a------   C:\WINDOWS\system32\xpuupdate.exe
2007-06-06 11:37   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\Apple Computer
2007-06-06 11:36   <DIR>   d--------   C:\Program Files\QuickTime
2007-06-06 11:36   <DIR>   d--------   C:\Program Files\iTunes
2007-06-06 11:36   <DIR>   d--------   C:\Program Files\iPod
2007-06-06 11:35   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-06 11:31   9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-06 11:31   9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-06 11:31   43,528   ---------   C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-06-06 11:31   129,784   ---------   C:\WINDOWS\system32\pxafs.dll
2007-06-06 10:39   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-06-06 10:39   499,712   --a------   C:\WINDOWS\system32\msvcp71.dll
2007-06-06 08:55   90,624   --a------   C:\WINDOWS\system32\3D Wormhole.scr
2007-06-02 19:01   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2007-06-02 19:00   <DIR>   d--------   C:\Program Files\Real
2007-06-02 19:00   <DIR>   d--------   C:\Program Files\Common Files\Real
2007-06-02 19:00   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\Real
2007-05-31 17:48   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-05-31 17:46   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\Leadertech
2007-05-31 17:30   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2007-05-27 09:47   <DIR>   d--------   C:\Program Files\Abexo
2007-05-22 12:51   <DIR>   d--------   C:\Program Files\Tales of Pirates Online
2007-05-20 12:42   <DIR>   d--------   C:\Program Files\Granado Espada
2007-05-18 22:36   <DIR>   d--------   C:\DOCUME~1\user1\APPLIC~1\Viewpoint
2007-05-12 14:06   23,552   --a------   C:\WINDOWS\system32\sstunins.exe
2007-05-12 10:30   <DIR>   d--------   C:\Program Files\VVSN
2007-05-10 23:20   65,536   --a------   C:\WINDOWS\IFinst27.exe
2007-05-10 23:20   <DIR>   d--------   C:\Program Files\Gravity


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 01:06:11   335   ----a-w   C:\WINDOWS\nsreg.dat
2007-06-06 18:31:46   --------   d-----w   C:\Program Files\Winamp
2007-06-06 17:09:07   1,290   ----a-w   C:\WINDOWS\mozver.dat
2007-05-26 21:06:48   --------   d-----w   C:\Program Files\LimeWire
2007-05-19 17:23:52   --------   d--h--w   C:\Program Files\InstallJammer Registry
2007-05-17 02:38:49   141,612   ----a-w   C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-17 02:38:41   --------   d-----w   C:\Program Files\Trickster Online
2007-05-13 00:35:32   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\IMVU
2007-05-08 02:44:03   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\MusicIP
2007-05-06 16:56:18   --------   d-----w   C:\Program Files\ModernDesktop
2007-05-02 05:05:10   --------   d-----w   C:\Program Files\Viewpoint
2007-05-02 00:44:10   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\Aim
2007-05-02 00:44:08   --------   d-----w   C:\Program Files\AIM
2007-05-02 00:43:33   --------   d-----w   C:\Program Files\AOD
2007-04-29 23:18:03   213,148   ----a-w   C:\WINDOWS\INSTALL.scr
2007-04-29 17:35:52   --------   d-----w   C:\Program Files\Enigma Software Group
2007-04-28 15:25:01   --------   d-----w   C:\Program Files\AOL Security Toolbar
2007-04-28 05:45:58   --------   d-----w   C:\Program Files\Guild Wars
2007-04-28 00:50:34   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\GetRightToGo
2007-04-27 06:08:26   9,728   ----a-w   C:\WINDOWS\system32\UnInstall DestroyPokemon.exe
2007-04-27 05:24:18   --------   d-----w   C:\Program Files\Windows Media Connect 2
2007-04-27 05:14:24   --------   d-----w   C:\Program Files\plus!
2007-04-27 02:00:24   --------   d-----w   C:\Program Files\ReflexiveArcade
2007-04-27 00:43:52   3   ----a-w   C:\WINDOWS\system32\Dino.dll
2007-04-27 00:37:42   1   ----a-w   C:\WINDOWS\system32\Shark.dll
2007-04-26 23:26:49   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\MSN6
2007-04-26 02:17:22   --------   d-----w   C:\DOCUME~1\user1\APPLIC~1\Lavasoft
2007-04-26 02:17:19   --------   d-----w   C:\Program Files\Lavasoft
2007-04-26 02:17:06   --------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-04-26 01:30:15   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 01:30:15   --------   d-----w   C:\Program Files\Western Digital
2007-04-25 14:37:39   --------   d-----w   C:\Program Files\VIA
2007-04-25 08:01:18   --------   d-----w   C:\Program Files\MSXML 6.0
2007-04-25 08:00:03   --------   d-----w   C:\Program Files\MSBuild
2007-04-25 07:40:21   --------   d-----w   C:\Program Files\Reference Assemblies
2007-04-25 06:21:15   --------   d-----w   C:\Program Files\Common Files\InstallShield
2007-04-25 06:09:27   --------   d-----w   C:\Program Files\Maxtor
2007-04-25 05:58:57   --------   d-----w   C:\Program Files\Messenger
2007-04-25 03:53:22   --------   d-----w   C:\Program Files\Movie Maker
2007-04-25 03:51:45   --------   d-----w   C:\Program Files\Windows NT
2007-04-25 03:42:06   23,600   ----a-w   C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-04-25 01:15:59   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-04-25 00:54:23   --------   d-----w   C:\Program Files\Ahead
2007-04-25 00:27:18   --------   d-----w   C:\Program Files\Realtek Sound Manager
2007-04-25 00:27:18   --------   d-----w   C:\Program Files\AvRack
2007-04-25 00:14:45   --------   d-----w   C:\Program Files\microsoft frontpage
2007-04-25 00:13:35   0   --sha-r   C:\MSDOS.SYS
2007-04-25 00:13:35   0   --sha-r   C:\IO.SYS
2007-04-25 00:13:35   0   ----a-w   C:\CONFIG.SYS
2007-04-25 00:13:35   0   ----a-w   C:\AUTOEXEC.BAT
2007-04-25 00:12:21   --------   d-----w   C:\Program Files\Online Services
2007-04-25 00:11:07   --------   d-----w   C:\Program Files\Common Files\MSSoap
2007-04-25 00:10:56   21,640   ----a-w   C:\WINDOWS\system32\emptyregdb.dat
2007-04-25 00:09:54   --------   d-----w   C:\Program Files\MSN Gaming Zone
2007-04-24 17:05:32   --------   d-----w   C:\Program Files\Common Files\ODBC
2007-04-24 17:05:29   --------   d-----w   C:\Program Files\Common Files\SpeechEngines
2007-04-23 00:15:18   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2007-03-23 13:07:56   1,683,280   ------w   C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 13:07:54   583,504   ------w   C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 03:25:02   124,928   ------w   C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-15 19:23:16   497,496   ----a-w   C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58   526,184   ----a-w   C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6}=C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll [2006-08-15 07:58]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 01:54 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-02-12 06:27]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"@"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-02 19:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"HostManager"="C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe" [2007-01-25 14:34]
"sscRun"="C:\Program Files\Common Files\AOL\1181178493\ee\SSCRun.exe" [2007-01-25 14:34]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [2006-03-07 15:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 10:55:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 10:56:06
C:\ComboFix-quarantined-files.txt ... 2007-06-08 10:55
C:\ComboFix2.txt ... 2007-05-01 18:23

   --- E O F ---

[Synthetic]

I think your smitfraudfix link is broken, i couldn't download it from there so I found it via google lol http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/happy.gif\' class=\'bbc_emoticon\' alt=\'^_^\' />

[guestolo]

[quote name=\'Synthetic\' post=\'337554\' date=\'Jun 8 2007, 11:01 AM\']I think your smitfraudfix link is broken, i couldn't download it from there so I found it via google lol http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/happy.gif\' class=\'bbc_emoticon\' alt=\'^_^\' />[/quote]
It works fine for me

Before I got back to this post, I just found that Smitfraudfix was again updated to deal with this updated menace

Can you open the Smitfraudfix folder and double click on smitfraudfix.cmd
Use option #4 Check for Updates by typing 4 and press "Enter"
Follow the prompts, after updating select Option Q Quit and press Enter

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.  A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


[color=\"green\"]NOTE:running option #2  will remove your Desktop background, you will have to replace it in the Display options found in Control panel[/color].

Back in Normal Windows

Post back the following
1. Post a fresh hijackthis log
2. Post the report from Smitfraudfix>> C:\Rapport.txt

[Synthetic]

Hijackthis log[/u]
Logfile of HijackThis v1.99.1
Scan saved at 10:57:10 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\AOL\1181178493\ee\aolsoftware.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user1\My Documents\HijackThis.exe

O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181178493\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1181178493\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1181178493\ee\SSCRun.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177463649433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177465159117
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Smitfradfix rapport[/u]
SmitFraudFix v2.194

Scan done at 10:50:24.55, Sat 06/09/2007
Run from C:\Documents and Settings\user1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\user1\Application Data\AdProtect NoSpam\ Deleted
C:\Program Files\ContraVirus\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Synthetic]

I hope that fixed it, I'm not getting the instant contravirus software download every time I reboot

[guestolo]

How's it running now? your log looks good

[guestolo]

I noticed that one file did not get deleted when you ran Smitfraudfix

Can you do the following
Open notepad and copy/paste the text in the quotebox below into it:
Don't include the word 'quote' please

File::
C:\WINDOWS\system32\xpuupdate.exe

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt

[Synthetic]

I got this i don't know if that was supposed to happen

[guestolo]

Can you do this instead

Manually search for this file
C:\WINDOWS\system32\xpuupdate.exe

by going to MyComputer>>Local Disk C:>WINDOWS>system32>xpuupdate.exe

Do you see that exact file name?
Is so delete it

[guestolo]

Actually Synthetic, S!Ri did a quick update to include the file and a few other registry entries

Could you do this again
Can you open the Smitfraudfix folder and double click on smitfraudfix.cmd
Use option #4 Check for Updates by typing 4 and press "Enter"
Follow the prompts, after updating select Option Q Quit and press Enter

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.  A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


[color=\"green\"]NOTE:running option #2  will remove your Desktop background, you will have to replace it in the Display options found in Control panel[/color].

Back in Normal Windows

Post back the following
Post the report from Smitfraudfix>> C:\Rapport.txt
Let me know how things are running please

[Synthetic]

SmitFraudFix v2.195

Scan done at  5:01:26.39, Sat 06/09/2007
Run from C:\Documents and Settings\user1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\wincom27.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F2E9061-8A90-474F-82E3-EC14AB1573DF}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[guestolo]

Looks good, how are things running?

[Synthetic]

Actually, things are running quite smoothly once again! ah thank you again for your help!

[guestolo]

I would do updated scans with Ad-Aware and Spybot 1.4
Also, In spybot, after you update
Click on the Immunize button>>OK>>Click on Immunize at the top green cross
Do that after every update

If everything is running better
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

[Synthetic]

Ok! So what does this added protection do? keep things like what I have just experienced away or at bay?

[guestolo]

[quote name=\'Synthetic\' post=\'342680\' date=\'Jun 18 2007, 09:53 PM\']Ok! So what does this added protection do? keep things like what I have just experienced away or at bay?[/quote]

Helps to prevent these things from happening
Did you read the link at Spywareblaster I gave you?

Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

# Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
# Restrict the actions of potentially unwanted sites in Internet Explorer.


SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.

[guestolo]

Problems appear resolved
I'll lock this topic
Take care Synthetic  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />