Skip to main content

bamajim

10.4K Posts

July 11th, 2006 23:00

brownie3982

2 things

1. You are currently running Hijackthis from a Temp file.

Hijackthis creates backup's that we may need, which could lost or deleted easily from a temp location

Please move Hijackthis to it's own folder, It can be done by

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT.

2. Please go here

And Download SmitFraudFix by S!ri


Extract all the archive content to your desktop
• Search:
o Double-click smitfraudfix.cmd
o Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread


Do Not run option 2 until instructed to do so



bamajim

Training at Malware Removal University

brownie3982

4 Posts

July 12th, 2006 02:00

Here is the info: 
 
Thanks so much for the help! 
 
SmitFraudFix v2.69
Scan done at 22:58:23.64, Tue 07/11/2006
Run from C:\Documents and Settings\My Laptop\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\My Laptop\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MYLAPT~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 

Bugbatter

3 Apprentice

 • 

20.5K Posts

July 12th, 2006 17:00

Hi, brownie3982,

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

If you have not done so already, Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

  2. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  3. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
  4. Right click on ewido in the system tray and uncheck "Start with Windows".
    Go to Start > Run and type: services.msc
  5. Press "OK".
  6. In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  7. When you find the guard service, double-click on it.
  8. In the Properties Window > General Tab that opens, click the "Stop" button.
  9. From the drop-down menu next to "Startup Type", click on "Manual".
  10. Now click "Apply", then "OK" and close the Services window.
  11. Once the setup is complete you will need run ewido and update the definition files.
  12. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, manually update with the Ewido Full database installer from here.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
      • Close ewido anti-spyware, Do Not run a scan just yet.

        Reboot your computer in Safe Mode.

        * If the computer is running, shut down Windows, and then turn off the power.
        * Wait 30 seconds, and then turn the computer on.
        * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
        * Ensure that the Safe Mode option is selected.
        * Press Enter. The computer then begins to start in Safe mode.
        * Login on your usual account.

        ______________________________

        Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
        Select option #2 - Clean by typing 2 and press Enter.
        Wait for the tool to complete and disk cleanup to finish.
        You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
        The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

        A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

        The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
        ______________________________

        Clean out your Temporary Internet files. Proceed like this:

        * Quit Internet Explorer and quit any instances of Windows Explorer.
        * Click Start, click Control Panel, and then double-click Internet Options.
        * On the General tab, click Delete Files under Temporary Internet Files.
        * In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
        * On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
        * Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
        * Click OK.

        Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

        Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
        ______________________________

        Close ALL open Windows / Programs / Folders.

        Launch ewido-anti-spyware by double-clicking the icon on your desktop.
        Select the " Scanner" icon at the top and then the " Scan" tab then click on " Complete System Scan".
        ewido will now begin the scanning process, be patient this may take a little time.
        Once the scan is complete do the following:

        If you have any infections you will prompted, then select " Apply all actions"
        IMPORTANT! Don't save the report before you have clicked the Apply all actions button. If you do it will make it more difficult for the helper to interpret the report.

        Next select the " Reports" icon at the top.
        Select the " Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
        Close ewido and reboot your system back into Normal Mode.

        Please post:

        1. c:\rapport.txt
        2. Ewido report
        3. A new HijackThis log ** Make sure that you haVe moved Hijackthis to a permanent folder of its own.
        Let me know how things are running.

      brownie3982

      4 Posts

      July 14th, 2006 01:00

      Things are running much better now...  McAfee seems to be catching anything new.  Here are my reports, let me know if there is anything else I should do.
       
      Thanks so much for the help and the prompt responses!  This is a GREAT forum! 
       
      Brownie3982
       
      Ewido

      brownie3982

      4 Posts

      July 14th, 2006 01:00

      Ewido Report:
       
      ---------------------------------------------------------
      ewido anti-spyware - Scan Report
      ---------------------------------------------------------
       + Created at: 8:17:55 AM 7/13/2006
       + Scan result: 
       
      HKLM\SOFTWARE\Classes\CLSID\{AA8263C2-BEC0-1A3A-53EC-210BF773BE14} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Classes\CLSID\{654DCF3A-00ED-422e-BDA2-D7FA69261CE9} -> Adware.EZtracks : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{654DCF3A-00ED-422e-BDA2-D7FA69261CE9} -> Adware.EZtracks : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP303\A0026311.exe -> Adware.RXBar : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Local Settings\Temp\Temporary Internet Files\Content.IE5\GTANC5EN\bridge-c2[1].cab/MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028675.exe -> Downloader.Zlob.uz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028543.EXE -> Downloader.Zlob.xn : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0027580.tlb -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0027852.tlb -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0027897.tlb -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0028005.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0028076.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP321\A0028172.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP324\A0028224.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP324\A0028250.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP328\A0028363.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028568.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028608.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028653.TLB -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028673.exe -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{3BD7CCDA-CF21-49B5-951A-CA4F0CCF1F8F}\RP332\A0028676.tlb -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Local Settings\Temp\Cookies\my laptop@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@bluemountain[2].txt -> TrackingCookie.Bluemountain : Cleaned with backup (quarantined).
      C:\Documents and Settings\LocalService\Cookies\my laptop@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Local Settings\Temp\Cookies\my laptop@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@need2find[1].txt -> TrackingCookie.Need2find : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
      C:\Documents and Settings\My Laptop\Cookies\my laptop@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

      ::Report end
       
       
      Rapport.txt
       
      SmitFraudFix v2.69
      Scan done at 23:58:40.21, Wed 07/12/2006
      Run from C:\Documents and Settings\My Laptop\Desktop\SmitfraudFix
      OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
      Fix ran in safe mode
      »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
      !!!Attention, following keys are not inevitably infected!!!
      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
      "altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"

      »»»»»»»»»»»»»»»»»»»»»»»» Killing process

      »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
      GenericRenosFix by S!Ri

      »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
      C:\WINDOWS\system32\dcomcfg.exe Deleted
      C:\WINDOWS\system32\hp???.tmp Deleted
      C:\WINDOWS\system32\ot.ico Deleted
      C:\WINDOWS\system32\regperf.exe Deleted
      C:\WINDOWS\system32\simpole.tlb Deleted
      C:\WINDOWS\system32\stdole3.tlb Deleted
      C:\WINDOWS\system32\ts.ico Deleted
      C:\WINDOWS\system32\1024\ Deleted
      »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

      »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
       
      Registry Cleaning done.
       
      »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
      !!!Attention, following keys are not inevitably infected!!!
      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll

      »»»»»»»»»»»»»»»»»»»»»»»» End
       
       
      HiJackThis Log:
       
      Logfile of HijackThis v1.99.1
      Scan saved at 10:04:44 PM, on 7/13/2006
      Platform: Windows XP SP1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      C:\Program Files\McAfee.com\VSO\oasclnt.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Program Files\AIM\aim.exe
      C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      c:\program files\mcafee.com\agent\mcdetect.exe
      c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      C:\Program Files\Corel\Graphics9\Register\Remind32.exe
      c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      C:\PROGRA~1\Webshots\webshots.scr
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\WINDOWS\System32\wuauclt.exe
      c:\progra~1\mcafee.com\vso\mcvsescn.exe
      c:\progra~1\mcafee.com\vso\mcvsftsn.exe
      C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
      C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
      C:\HJT\HijackThis.exe
      R3 - Default URLSearchHook is missing
      O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
      O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
      O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
      O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
      O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
      O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
      O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
      O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
      O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
      O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
      O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://eztracks.aavalue.com/EZT/Toolbar/eztdl.cab
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
      O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
      O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
      O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
      O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
      O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
      O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
       
       

      Bugbatter

      3 Apprentice

       • 

      20.5K Posts

      July 14th, 2006 02:00

      We have just a bit more to do.

      I suggest that you remove Aveo Attune. It is considered Adware.
      Info here:
      http://www.castlecops.com/startuplist-281.html

      You can remove AttuneClientEngine using Add/Remove Programs.
      Then delete the folder here:
      C:\PROGRA~1\ Aveo --FOLDER

      Also using Add/Remove Programs, remove SemanticInsight or RXToolbar (however listed)
      Info here:
      http://www.castlecops.com/startuplist-12770.html

      Delete the folder here:
      C:\Program Files\ RXToolBar --folder

      In addition, you are running Viewpoint, but I also see that you are using AIM, so I am including this information, so that you can make an informed decision on whether or not Viewpoint is needed:
      Viewpoint is bundled with AOL, AOL Instant Messenger, Netscape 7, etc and sometimes not mentioned in the license agreement.
      Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications
      ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers
      Viewpoint Manager is a media player often bundled with AIM software. It is not technically considered malware, but is borderline adware and is often installed without a user's knowledge.
      For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.

      If you wish to remove Viewpoint, end process on ViewManager in Task Manager.
      Remove it in Add/Remove Programs via the Control Panel.
      Then delete the Viewpoint folder in Program Files.

      We definitely to fix a few more things....

      Please launch HijackThis and place a checkmark next to these:

      R3 - Default URLSearchHook is missing
      O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
      O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
      O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://eztracks.aavalue.com/EZT/Toolbar/eztdl.cab
      O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

      Only if you removed Viewpoint, fix this as well:
      O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

      Close all windows except HijackThis and click "Fix Checked".

      Reboot.

      Run Disk Cleanup in each user's profile:
      Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
      Please make sure the following are checked:
      -- Downloaded Program Files
      -- Temporary Internet Files
      -- Recycle Bin
      -- Temporary Files
      Click "OK" and Disk Cleanup will delete those files for you.

      Post a fresh HijackThis log for final review, and let me know how things are running.

      Was this post helpful?

      View All

      No Events found!

      Top