Find your solution!

mjhempf · 26-Sep-2007, 01:24 PM #1

Last night I got some type of spyware or malware on my computer. I was trying to view a video and downloaded what I thought was a codec and now I have pop-ups coming up ever couple minutes saying I have security risks and a yellow icon in my system tray saying "System Alert: Malware threats". Here is my HJT log and any help would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:46 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9324 bytes

MFDnNC · 26-Sep-2007, 03:35 PM #2

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

==============================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/supe...freevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me regardless of what it finds with a new HijackThis log.

This will take some time!!!!!!!!

mjhempf · 26-Sep-2007, 04:02 PM #3

Should I run the Superanti spyware in safe mode as well or reboot after running the smitfraudfix into normal mode to run the SAS?

MFDnNC · 26-Sep-2007, 04:51 PM #4

Normal is fine

mjhempf · 26-Sep-2007, 10:12 PM #5

Thank you, the SAS seems to have done the trick. Have no signs of pop-ups and no icon in the system tray. Everything seems to be working smoothly.

Thank you again for your help. I am usually the guy people come to with problems like this but I was about to pull my hair out with that little bugger.

Here are the reports from the scans.
1st from Smitfraudfix, 2nd from SAS and 3rd a new Hijack this log.

SmitFraudFix v2.230

Scan done at 17:00:09.95, Wed 09/26/2007
Run from C:\Documents and Settings\Owner.MATTNOTEBOOK\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{65EABE54-1F83-4EE8-85B7-149C019B6EE2}: DhcpNameServer=198.30.19.2 198.30.222.22
HKLM\SYSTEM\CS1\Services\Tcpip\..\{65EABE54-1F83-4EE8-85B7-149C019B6EE2}: DhcpNameServer=198.30.19.2 198.30.222.22
HKLM\SYSTEM\CS3\Services\Tcpip\..\{65EABE54-1F83-4EE8-85B7-149C019B6EE2}: DhcpNameServer=198.30.19.2 198.30.222.22
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=198.30.19.2 198.30.222.22
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=198.30.19.2 198.30.222.22
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=198.30.19.2 198.30.222.22

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

--------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/26/2007 at 09:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3313
Trace Rules Database Version: 1316

Scan type : Complete Scan
Total Scan Time : 02:14:03

Memory items scanned : 583
Memory threats detected : 2
Registry items scanned : 5684
Registry threats detected : 11
File items scanned : 89029
File threats detected : 82

Trojan.Media-Codec/V4
C:\PROGRAM FILES\ONLINE VIDEO ADD-ON\ICTHIS.EXE
C:\PROGRAM FILES\ONLINE VIDEO ADD-ON\ICTHIS.EXE
C:\PROGRAM FILES\ONLINE VIDEO ADD-ON\ICMNTR.EXE
C:\PROGRAM FILES\ONLINE VIDEO ADD-ON\ICMNTR.EXE
[some] C:\PROGRAM FILES\ONLINE VIDEO ADD-ON\ICTHIS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#some [ C:\Program Files\Online Video Add-on\icthis.exe ]
C:\Program Files\Online Video Add-on\ictun.exe
C:\Program Files\Online Video Add-on\isfun.exe
C:\Program Files\Online Video Add-on\ot.ico
C:\Program Files\Online Video Add-on\ts.ico
C:\Program Files\Online Video Add-on\uninst.exe
C:\Program Files\Online Video Add-on
HKU\S-1-5-21-1654333424-1630521348-3563148249-1003\Software\Online Add-on
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Video Add-on#Publisher
C:\WINDOWS\Prefetch\ICMNTR.EXE-290432FE.pf
C:\WINDOWS\Prefetch\ICTHIS.EXE-09D5360D.pf

Adware.Tracking Cookie
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@1060114386[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.fatpenguinmedia[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@cgi-bin[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@campaign.indieclick[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@cgi-bin[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@19000694[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@image.masterstats[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@clicktorrent[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.sexontaxi[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@stats.drivecleaner[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@1071486122[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@bridesonblacks.tastyporn[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@sales.liveperson[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ads.adgoto[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@drivecleaner[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ad2.adnetinteractive[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@adtech[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.viruslocker[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@dcs57s88c100000c5c2m0gqn8_5f4x[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.burstbeacon[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@go.drivecleaner[3].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@go.drivecleaner[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@sprintcso.112.2o7[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ad.motiveinteractive[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ar.atwola[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@statse.webtrendslive[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@1060265266[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@3.adbrite[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ad[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@1063849206[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.sexxsexx[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ad.103092804[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@www.adulteryporn[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@pornsickle[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@mediaservices.myspace[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@76226072[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner.MATTNOTEBOOK\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.thewheelof[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.monster[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cracked[1].txt
C:\Documents and Settings\Owner\Cookies\owner@screensavers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@winfixer[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adult-movies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.fatpenguinmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.newsexstars[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porn-reborn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexbuddies[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.winantivirus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.winfixer[1].txt

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7255C0B0-8ED4-479E-910A-5ED13D260208}\RP699\A0080838.DLL

--------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:36 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9344 bytes

MFDnNC · 27-Sep-2007, 01:14 PM #6

Run hijack scan only, mark this entry then click fix checked

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Clean

If you feel its is fixed mark it solved via Thread Tools above

Clear restore points – here’s how

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

You will turn them off – boot – turn them on

This clears infected restore points and sets a new, clean one.

Tag Cloud
adware audio bios blue screen boot bsod computer connection crash dell email error excel firefox freeze freezing google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot recovery redirect router screen server slow sound speakers spyware startup trojan usb video virus vista windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)