[DaveWorley]

Hello.

I recently accepted a zip file from a friend named 'photo album'. I extracted it and ran the file inside it (in hindsight this was a bit stupid).

So it would appear I have some sort of Trojan on my computer.

When in action it opens and closes WLM windows repetitively (presumably sending the virus in the same way as I received it). Alas, it's happened to quite a few people independent of the apparent chain I'd got myself into, so I assume it's more widespread than I thought.

Can anyone facilitate in helping me remove this Trojan or take appropriate action?

[DaveWorley]

Yes... I managed to forget to mention the word 'please'.

Apologies.

[MFDnNC]

Click here to download HJTsetup.exe:

http://www.thespykiller.co.uk/index....tpmod;dl=item5

Scroll down to the download section where the download button is

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[DaveWorley]

See below (please bear in mind I'm currently forced to run in safe mode):


Logfile of HijackThis v1.99.1
Scan saved at 23:19:24, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: rdihost - {0572DDA2-5696-457C-A577-CF9E3725E28A} - rdihost.dll (file missing)
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

[DaveWorley]

The safe mode issue isn't relevant to this case, however. I've been in safe mode for over 6 weeks.

[MFDnNC]

Download Superantispyware (SAS)

http://www.superantispyware.com/supe...freevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

[DaveWorley]

SAS Log:

SUPERAntiSpyware Scan Log
Generated 04/01/2007 at 00:15 AM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 00:12:58

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 3683
Registry threats detected : 0
File items scanned : 21770
File threats detected : 116

Adware.Tracking Cookie
C:\Documents and Settings\Dave\Cookies\dave@xiti[1].txt
C:\Documents and Settings\Dave\Cookies\dave@s[1].txt
C:\Documents and Settings\Dave\Cookies\dave@casalemedia[3].txt
C:\Documents and Settings\Dave\Cookies\dave@S005-01-10-1-233860-106940[1].txt
C:\Documents and Settings\Dave\Cookies\dave@cgi-bin[2].txt
C:\Documents and Settings\Dave\Cookies\dave@mb[2].txt
C:\Documents and Settings\Dave\Cookies\dave@1070291929[2].txt
C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt
C:\Documents and Settings\Dave\Cookies\dave@fastclick[3].txt
C:\Documents and Settings\Dave\Cookies\dave@overture[1].txt
C:\Documents and Settings\Dave\Cookies\dave@zedo[1].txt
C:\Documents and Settings\Dave\Cookies\dave@advertising[1].txt
C:\Documents and Settings\Dave\Cookies\dave@partygaming.122.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@anat.tacoda[1].txt
C:\Documents and Settings\Dave\Cookies\dave@revsci[1].txt
C:\Documents and Settings\Dave\Cookies\dave@mb[4].txt
C:\Documents and Settings\Dave\Cookies\dave@ad.yieldmanager[1].txt
C:\Documents and Settings\Dave\Cookies\dave@paypal.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@serving-sys[3].txt
C:\Documents and Settings\Dave\Cookies\dave@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@doubleclick[2].txt
C:\Documents and Settings\Dave\Cookies\dave@devart.adbureau[1].txt
C:\Documents and Settings\Dave\Cookies\dave@mediaplex[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bluestreak[1].txt
C:\Documents and Settings\Dave\Cookies\dave@1071436246[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevenue[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adserver[2].txt
C:\Documents and Settings\Dave\Cookies\dave@stats4.clicktracks[2].txt
C:\Documents and Settings\Dave\Cookies\dave@89451406[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.telegraph.co[1].txt
C:\Documents and Settings\Dave\Cookies\dave@statcounter[3].txt
C:\Documents and Settings\Dave\Cookies\dave@helptheaged[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ad.zanox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@tradedoubler[3].txt
C:\Documents and Settings\Dave\Cookies\dave@tracking.foxnews[1].txt
C:\Documents and Settings\Dave\Cookies\dave@local[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adopt.euroclick[3].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.realtechnetwork[1].txt
C:\Documents and Settings\Dave\Cookies\dave@cassava[1].txt
C:\Documents and Settings\Dave\Cookies\dave@e-2dj6wakywidpsco.stats.esomniture[1].txt
C:\Documents and Settings\Dave\Cookies\dave@partypoker[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-youtube.hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.pointroll[1].txt
C:\Documents and Settings\Dave\Cookies\dave@indexstats[2].txt
C:\Documents and Settings\Dave\Cookies\dave@mb[3].txt
C:\Documents and Settings\Dave\Cookies\dave@ad1.emediate[2].txt
C:\Documents and Settings\Dave\Cookies\dave@valueclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@anad.tacoda[2].txt
C:\Documents and Settings\Dave\Cookies\dave@247realmedia[1].txt
C:\Documents and Settings\Dave\Cookies\dave@hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@apmebf[1].txt
C:\Documents and Settings\Dave\Cookies\dave@smileycentral[2].txt
C:\Documents and Settings\Dave\Cookies\dave@valueclick.ne[1].txt
C:\Documents and Settings\Dave\Cookies\dave@newsquestmedia.uk.smarttargetting[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevolver[4].txt
C:\Documents and Settings\Dave\Cookies\dave@adtech[1].txt
C:\Documents and Settings\Dave\Cookies\dave@atoc.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@questionmarket[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adbrite[1].txt
C:\Documents and Settings\Dave\Cookies\dave@86455374[2].txt
C:\Documents and Settings\Dave\Cookies\dave@tribalfusion[1].txt
C:\Documents and Settings\Dave\Cookies\dave@www.888[1].txt
C:\Documents and Settings\Dave\Cookies\dave@cgi-bin[1].txt
C:\Documents and Settings\Dave\Cookies\dave@campaign.indieclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.aspalliance[1].txt
C:\Documents and Settings\Dave\Cookies\dave@2o7[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevolver[1].txt
C:\Documents and Settings\Dave\Cookies\dave@perf.overture[1].txt
C:\Documents and Settings\Dave\Cookies\dave@realmedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@interclick[2].txt
C:\Documents and Settings\Dave\Cookies\dave@royalnavy[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tripod[1].txt
C:\Documents and Settings\Dave\Cookies\dave@msnportal.112.2o7[1].txt
C:\Documents and Settings\Dave\Cookies\dave@a[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ads.itv[2].txt
C:\Documents and Settings\Dave\Cookies\dave@statse.webtrendslive[2].txt
C:\Documents and Settings\Dave\Cookies\dave@clickshift[1].txt
C:\Documents and Settings\Dave\Cookies\dave@server.lon.liveperson[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-independent.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@1071677308[1].txt
C:\Documents and Settings\Dave\Cookies\dave@server.iad.liveperson[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bs.serving-sys[3].txt
C:\Documents and Settings\Dave\Cookies\dave@adserve.v-store.co[1].txt
C:\Documents and Settings\Dave\Cookies\dave@members.tripod[2].txt
C:\Documents and Settings\Dave\Cookies\dave@cqcounter[2].txt
C:\Documents and Settings\Dave\Cookies\dave@888[1].txt
C:\Documents and Settings\Dave\Cookies\dave@192[1].txt
C:\Documents and Settings\Dave\Cookies\dave@cgi-bin[3].txt
C:\Documents and Settings\Dave\Cookies\dave@adopt.specificclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@specificclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-mgnlimited.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-autotrader.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adserver.festeringads[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ehg-redherring.hitbox[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tribalfusion[2].txt
C:\Documents and Settings\Dave\Cookies\dave@mediaplex[1].txt
C:\Documents and Settings\Dave\Cookies\dave@doubleclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevolver[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adserver[1].txt
C:\Documents and Settings\Dave\Cookies\dave@bs.serving-sys[2].txt
C:\Documents and Settings\Dave\Cookies\dave@casalemedia[2].txt
C:\Documents and Settings\Dave\Cookies\dave@serving-sys[1].txt
C:\Documents and Settings\Dave\Cookies\dave@advertising[2].txt
C:\Documents and Settings\Dave\Cookies\dave@realmedia[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adrevolver[3].txt
C:\Documents and Settings\Dave\Cookies\dave@statcounter[2].txt
C:\Documents and Settings\Dave\Cookies\dave@hitbox[2].txt
C:\Documents and Settings\Dave\Cookies\dave@questionmarket[1].txt
C:\Documents and Settings\Dave\Cookies\dave@fastclick[2].txt
C:\Documents and Settings\Dave\Cookies\dave@statse.webtrendslive[1].txt
C:\Documents and Settings\Dave\Cookies\dave@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Dave\Cookies\dave@ad.yieldmanager[2].txt
C:\Documents and Settings\Dave\Cookies\dave@adopt.euroclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@tradedoubler[1].txt
C:\Documents and Settings\Dave\Cookies\dave@serving-sys[2].txt
C:\Documents and Settings\Dave\Cookies\dave@bs.serving-sys[1].txt


----------

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:27:06, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: rdihost - {0572DDA2-5696-457C-A577-CF9E3725E28A} - rdihost.dll (file missing)
O23 - Service: Notebook Manager Service (anbmService) - Unknown owner - C:\Acer\eManager\anbmServ.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

[MFDnNC]

Why safe mode only???


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

[DaveWorley]

lSmitFraudFix v2.162

Scan done at 1:10:16.60, 01/04/2007
Run from C:\Documents and Settings\Dave\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dave


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dave\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVE\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 62.31.176.39
DNS Server Search Order: 194.117.134.19

HKLM\SYSTEM\CCS\Services\Tcpip\..\{88993E2C-5129-4D9F-ACC8-8C3ECD1A4875}: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4026E034-5722-4083-9CF0-7C995455BF3D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{88993E2C-5129-4D9F-ACC8-8C3ECD1A4875}: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{88993E2C-5129-4D9F-ACC8-8C3ECD1A4875}: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS3\Services\Tcpip\..\{88993E2C-5129-4D9F-ACC8-8C3ECD1A4875}: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[MFDnNC]

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O21 - SSODL: rdihost - {0572DDA2-5696-457C-A577-CF9E3725E28A} - rdihost.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\windows\system32\rdihost.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system