Jump to content

Attention, some dangerous viruses detected in your system


Recommended Posts

Hi everyone. I have been lucky enough to escape most viruses, but now I have a Trojan and I'm out of ideas.

 

I'm sure you've seen the message before. When I open IE (which I normally never use) or open ANY folder in Explorer, I get a popup warning which reads:

 

"Attention [name]! Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!

 

Click OK to download the antispyware. (Recommended)"

 

And then two buttons. No matter what I click, I am taken to a fake website.

 

It doesn't really do any damage, except hinder me from doing anything on the computer and being supremely annoying.

 

So far, I have run Spybot S&D, Spyhunter, AVG Free, Microsoft's anti-malware thing, FixIEDef, and Malwarebytes Anti-Malware. All they come up with is various tracking cookies and other such things.

 

Please can someone help me?

 

Regards,

Hanna

 

---------------

 

Here is my HJT log.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:28, on 2008-07-03

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\system32\DllHost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program\TortoiseSVN\bin\TSVNCache.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program\Java\jre1.6.0_06\bin\jusched.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe

C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program\ProtectTools\Embedded Security Software\PSDrt.exe

C:\Program\ProtectTools\Embedded Security Software\SpTna.exe

C:\WINDOWS\System32\alg.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTServs.exe

C:\Program\HPQ\Shared\HPQTOA~1.EXE

C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\Program\AVG\AVG8\avgrsx.exe

C:\Program\AVG\AVG8\avgtray.exe

C:\Program\AVG\AVG8\avgui.exe

C:\Program\AVG\AVG8\avgscanx.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\Program\AVG\AVG8\avgscanx.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: XTTBPos00 - {E014A78F-34DC-4BE5-83BB-58CA12E384B6} - C:\WINDOWS\system32\agintas.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\Program\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208378497856

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: iifeCstt - iifeCstt.dll (file missing)

O20 - Winlogon Notify: OneCard - C:\Program\HPQ\IAM\Bin\AsWlnPkg.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

 

--

End of file - 11847 bytes

Link to post
Share on other sites

Welcome to PCPitStop, please be aware that All advice given is taken at your own risk.

 

For your information:

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe

ttp://www.spywarewarrior.com/viewtopic.php?t=24810

http://www.castlecops.com/t187654-free_spy...estionable.html

 

Instructions start here:

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode.

* If it is not already set to do this Go to the Mode menu select "Advanced Mode"

* On the left hand side, Click on Tools

* Then click on the Resident Icon in the List

* Uncheck "Resident TeaTimer" and OK any prompts.

* Restart your computer.

(leave TT disabled until we finish)

 

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

 

Search:

Double-click SmitfraudFix.exe

Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

 

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

Post only the C:\rapport.txt using Add Reply.

 

That's just a start, this will take a while.

 

Thanks

Link to post
Share on other sites

gari, do not post your information in other members topic, start your own topic and wait for the first available volunteer. This information will be remove from this post in 24 hours.

 

Thanks

Edited by pskelley
Link to post
Share on other sites

Welcome to PCPitStop, please be aware that All advice given is taken at your own risk.

 

For your information:

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program\Enigma Software Group\SpyHunter\SpyHunter3.exe

ttp://www.spywarewarrior.com/viewtopic.php?t=24810

http://www.castlecops.com/t187654-free_spy...estionable.html

 

Instructions start here:

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode.

* If it is not already set to do this Go to the Mode menu select "Advanced Mode"

* On the left hand side, Click on Tools

* Then click on the Resident Icon in the List

* Uncheck "Resident TeaTimer" and OK any prompts.

* Restart your computer.

(leave TT disabled until we finish)

 

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

 

Search:

Double-click SmitfraudFix.exe

Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

 

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

Post only the C:\rapport.txt using Add Reply.

 

That's just a start, this will take a while.

 

Thanks

 

 

Thank you, pskelley. I have done exactly as you said, and here's the rapport.txt output.

 

 

 

 

SmitFraudFix v2.328

 

Scan done at 9:44:57,40, 2008-07-04

Run from C:\Documents and Settings\Administrat”r\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

C:\Program\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program\ProtectTools\Embedded Security Software\PSDrt.exe

C:\Program\ProtectTools\Embedded Security Software\SpTna.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program\TortoiseSVN\bin\TSVNCache.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTServs.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program\Java\jre1.6.0_06\bin\jusched.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program\AVG\AVG8\avgrsx.exe

C:\Program\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Unlocker\UnlockerAssistant.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe

C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program\iPod\bin\iPodService.exe

C:\Program\HPQ\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\Administratör\Skrivbord\SmitfraudFix\Policies.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

hosts file corrupted !

 

127.0.0.1 www.legal-at-spybot.info

127.0.0.1 legal-at-spybot.info

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrat”r

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrat”r\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

[!] Suspicious: agintas.dll

BHO: XTTBPos00 - {E014A78F-34DC-4BE5-83BB-58CA12E384B6}

TypeLib: {15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}

VersionIndependentProgID: BhoNew.Bho

ProgID: BhoNew.Bho.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, following keys are not inevitably infected!!!

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

!!!Attention, following keys are not inevitably infected!!!

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="avgrsstx.dll"

"LoadAppInit_DLLs"=dword:00000001

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Broadcom NetXtreme Gigabit Ethernet - Miniport för paketschemaläggning

DNS Server Search Order: 192.168.40.5

 

Description: Intel® PRO/Wireless 3945ABG Network Connection - Miniport för paketschemaläggning

DNS Server Search Order: 192.168.40.5

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

Nunis, I apologize for the member who posted in your topic.

 

Please do not quote my instructions, it is a waste of space. Scroll to them if you need to read them.

 

Thanks for returning your information, Smitfraudfix found the infection and it also found this:

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

After we clean, in the next C:\rapport.txt, there may be a very large hosts file

(items starting with 127.0.0.1) and I do not need to see it.

Edit (remove) it from the C:\rapport.txt before you post it.

 

Clean:

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infect files.

You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

 

Optional:

To restore Trusted and Restricted site zone, select 3 and hit Enter.

You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

 

Post the C:\rapport.txt and a new HJT log.

 

Thanks

Link to post
Share on other sites

First of all, thanks again for your help, don't worry about someone else posting in this topic, and I apologise for quoting your post...

 

Now, I've done what you said. I have removed all localhost entries from the rapport.txt file, and below is the output.

 

Also, from just clicking around Explorer and IE now, it appears the problem is gone. If that is indeed the case, I don't even know how to thank you. If this is fixed, you've saved me hours and hours of backing up and reinstalling my entire OS.

 

Ps. I did "Restore Trusted Zone", although I am not entirely sure what that does. And I don't have SpywareBlaster and/or IE-SPYAD so I ignored those instructions.

 

Ok so here is the rapport.txt file. The HJT log comes after.

 

 

rapport.txt

 

SmitFraudFix v2.328

 

Scan done at 15:27:41,67, 2008-07-04

Run from C:\Documents and Settings\Administrat”r\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

...

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

C:\WINDOWS\system32\agintas.dll deleted.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\..\{085CDA80-B6E1-4E4E-BC5A-30B948CE23F7}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\..\{51963018-33D3-4EAB-B22C-F4A2A3740036}: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.5

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

HJT Log File

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:43:54, on 2008-07-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\TortoiseSVN\bin\TSVNCache.exe

C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

C:\WINDOWS\system32\mqsvc.exe

C:\Program\AVG\AVG8\avgrsx.exe

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program\Java\jre1.6.0_06\bin\jusched.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Unlocker\UnlockerAssistant.exe

C:\Program\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\ProtectTools\Embedded Security Software\PSDrt.exe

C:\Program\ProtectTools\Embedded Security Software\SpTna.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTServs.exe

C:\Program\Notepad++\notepad++.exe

C:\Program\HPQ\Shared\HPQTOA~1.EXE

C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\Program\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208378497856

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: iifeCstt - iifeCstt.dll (file missing)

O20 - Winlogon Notify: OneCard - C:\Program\HPQ\IAM\Bin\AsWlnPkg.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

 

--

End of file - 10002 bytes

Link to post
Share on other sites

Thanks for returning your information and the feedback you said:

And I don't have SpywareBlaster and/or IE-SPYAD so I ignored those instructions.

You will read about those in the information I post in closing.

 

Since I see nothing else remove by Smitfraudfix, it must have been the infected hosts file causing your problems. You may delete Smitfraudfix from your computer.

 

C:\Program\Notepad++\notepad++.exe <<< this is unusual, know anything about it? If not scan that file in red here:

http://virusscan.jotti.org/ and post the results.

 

Please download ATF Cleaner by Atribune

http://www.atribune.org/public-beta/ATF-Cleaner.exe

Save it to your Desktop. We will use this later.

 

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

O20 - Winlogon Notify: iifeCstt - iifeCstt.dll (file missing)

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Click Select All found at the bottom of the list.

Click the Empty Selected button.

Click Exit on the Main menu to close the program.

 

Download Malwarebytes' Anti-Malware to your Desktop

http://www.besttechie.net/tools/mbam-setup.exe

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform FULL SCAN, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

* Please post contents of that file & a new HJT log in your next reply.

 

How's the computer running?

 

Thanks

Link to post
Share on other sites

- I have removed SmitFraudFix now.

 

- As for Notepad++, that is an actual application which I have installed. There's nothing suspicious about it. It's basically an extended version of Notepad, which I use for coding.

 

- I then ran HJT again and did a "system scan only" and then checked iifeCstt.dll and "fixed this". It removed the file I believe.

 

- ATF Cleaner instructions followed too. That all went fine.

 

- Now I'm scanning with Malwarebytes' Anti-Malware. It's been going for about 10 minutes already, and I expect it will take some time.

 

However, this is my work computer we're talking about, and since I leave for the weekend in about 45 minutes, I might have to put this off until Monday. So, if you don't hear back within that timeframe, it's because I've gone home. In that case, I will resume all this on Monday. The computer will not be used between now and then. If the scan should finish on time, I will post the logs you requested.

 

 

As for your final question, the computer is running great. No annoying virus/adware/malware popups or anything like that.

Edited by Nunis
Link to post
Share on other sites

Well, what do you know, it finished just in time. Here are the logs.

 

Malwarebytes' Anti-Malware

 

Malwarebytes' Anti-Malware 1.19

Database version: 920

Windows 5.1.2600 Service Pack 2

 

16:53:13 2008-07-04

mbam-log-7-4-2008 (16-53-13).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 172912

Time elapsed: 47 minute(s), 2 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

HJT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:56:12, on 2008-07-04

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\HPQ\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\AVG\AVG8\avgwdsvc.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\TortoiseSVN\bin\TSVNCache.exe

C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

C:\WINDOWS\system32\mqsvc.exe

C:\Program\AVG\AVG8\avgrsx.exe

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program\Java\jre1.6.0_06\bin\jusched.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Unlocker\UnlockerAssistant.exe

C:\Program\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\ProtectTools\Embedded Security Software\PSDrt.exe

C:\Program\ProtectTools\Embedded Security Software\SpTna.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe

C:\Program\HPQ\HP ProtectTools Security Manager\PTServs.exe

C:\Program\HPQ\Shared\HPQTOA~1.EXE

C:\Program\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program\ATI Technologies\ATI.ACE\cli.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Notepad++\notepad++.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\Program\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\Program\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208378497856

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: OneCard - C:\Program\HPQ\IAM\Bin\AsWlnPkg.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program\ProtectTools\Embedded Security Software\PSDsrvc.EXE

 

--

End of file - 10054 bytes

Link to post
Share on other sites

Looks good, if you are having no malware issues, you are good to go. Great job with the complex instructions.

 

I notice only Symantec leftovers:

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

http://basconotw.mvps.org/SymRem.htm

 

Safe surfing :tup:

 

Some good information for you:

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx

 

Here is some great information from experts in this field that will help you stay clean and safe online.

http://users.telenet.be/bluepatchy/miekiem...prevention.html

http://forums.spybot.info/showthread.php?t=279

http://russelltexas.com/malware/allclear.htm

http://forum.malwareremoval.com/viewtopic.php?t=14

http://www.bleepingcomputer.com/forums/topict2520.html

http://cybercoyote.org/security/not-admin.shtml

 

http://www.malwarecomplaints.info/

 

Thanks...pskelley

http://pcpitstop.com/about/supportus.asp

If you are reading this information...thank a teacher,

If you are reading it in English...thank a soldier.

Link to post
Share on other sites

Thanks again, pskelley. You're an absolute lifesaver.

 

The Symantec leftover is probably from a previous installation of Norton that came with my computer when my company bought it.

 

Thanks for the extra info as well. I'll be sure to read it through.

 

I normally know what I am doing when it comes to the Internet (I work as a webmaster and web developer) but I have no idea how that malware got on there.

 

I do know I owe you a pint though. Have a good weekend and thanks again!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...