Cannot Uninstall "System Alert Popup" Program

Please download SmitfraudFix Extract the content (a folder named SmitfraudFix) to your Desktop. Download AVG Anti-Spyware from HERE and save that file to your desktop. This is a 30 day trial of the program

1. Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Select Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
3. Right click on AVG AS in the system tray and uncheck "Start with Windows". Go to Start > Run and type: services.msc
4. Press "OK".
5. In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware guard.
6. When you find the guard service, double-click on it.
7. In the Properties Window > General Tab that opens, click the "Stop" button.
8. From the drop-down menu next to "Startup Type", click on "Manual".
9. Now click "Apply", then "OK" and close the Services window.
10. Once the setup is complete you will need run AVG AS and update the definition files.
11. On the main screen select the icon "Update" then select the "Update now" link.
12. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
13. If you are having problems with the updater, manually update with the AVG AS Full database installer from here.
14. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
15. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
16. Under "Reports"
17. Select "Automatically generate report after every scan"
18. Un-Select "Only if threats were found"
19. Close AVG Anti-Spyware, Do Not run a scan just yet. We will shortly. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press " Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run any other options until you are asked to do so! Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm ********************** zb1

Message Edited by zbestwun2001 on 01-31-2007 08:07 AM

SmitFraudFix v2.137 Scan done at 22:21:17.54, Wed 01/31/2007 Run from C:\Documents and Settings\Fall\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fall »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fall\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Fall\FAVORI~1 C:\DOCUME~1\Fall\FAVORI~1\Online Security Test.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl" [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "LoadAppInit_DLLs"=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

Message Edited by whyamibored on 01-31-2007 09:22 PM

The forum format is not working, we will try again in the morning with a new SF log and see if it formats better? zb1

ok

Let's try it again...... This time be sure to check the box in the bottom of the post that says "Automatically convert carriage returns to HTML line breaks" before posting the next logs.


Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press " Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report along with all others into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : Running option #2 on a non-infected computer will remove your Desktop background.


____________________________________________________________

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display.
Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
______________________________

Close ALL open Windows / Programs / Folders.

• While in Safe Mode, launch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG AS will now begin the scanning process, be patient this may take a little time.
• Once the scan is complete do the following:
  
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG AS and reboot your system back into Normal Mode.

In your next reply please include:

1. The report from SmitfraudFix found here: C:\rapport.txt
2. The report from AVG AS
3. A fresh HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.


Message Edited by zbestwun2001 on 02-01-2007 06:58 AM

still not formating correctly. zb1

Message Edited by zbestwun2001 on 02-01-2007 05:45 AM

Message Edited by zbestwun2001 on 02-01-2007 05:04 AM

OK, here is pt2 of the scan report


C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.74:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wfk4cldjcco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wfkikhcjsep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wfkoomdzebo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wfkyqoczibq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wgkywjd5cgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wglyghc5aao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wjl4sgcjcbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wjliqpdjkap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wjliwiajgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@e-2dj6wjmienc5sep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.77:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.78:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.79:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.80:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.65:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.69:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.70:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ehg-ati.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ehg-inforspaceinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ehg-mruholdings.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ehg-newegg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@komtrack[2].txt -> TrackingCookie.Komtrack : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@server.iad.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.150:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.122:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.84:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.85:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.86:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.87:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.88:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.161:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.83:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.90:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.91:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.92:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.93:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.120:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.121:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.114:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.115:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.116:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.143:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.147:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.100:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.101:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.102:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.103:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.104:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.105:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.106:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.81:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.151:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.153:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.154:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.155:C:\Documents and Settings\Fall\Application Data\Mozilla\Firefox\Profiles\usymgx3x.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Fall\Local Settings\Temp\Cookies\fall@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP108\A0021645.exe -> Trojan.Agent.vg : Cleaned with backup (quarantined).


::Report end

Message Edited by whyamibored on 02-01-2007 03:42 PM

Here is the SmitFraudFix report:


SmitFraudFix v2.137

Scan done at 15:04:06.71, Thu 02/01/2007
Run from C:\Documents and Settings\Fall\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Fall\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Please run Disk Cleanup.
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Official JAVA Installation Instructions if needed.


After you have done this the post a new HJT log.

*********************************

zb1

Good, now post a HJT log, the instructions are at the top of this page. zb1

ok, i ran the system cleanup and installed java 6

thanks for all your help, by the way, and i just checked, and the system alert popup program only had 16mbs left, so i clicked uninstall and it said that it had already been uninstalled, so i just removed it from the list- thanks very much for all your help once again


Logfile of HijackThis v1.99.1
Scan saved at 9:42:21 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061019
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mpfplus/en-us/redir.asp?affid=105-79&installtype=force&dtag=9g4gzb1&langid=1&systempopup=true
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Message Edited by whyamibored on 02-01-2007 08:47 PM

Limewire is not technically malware by itself, but it can install malware because it opens the door for any number of
worms, adware, and spyware infections when you use their network. The courts have decided that current P2P networks are primarily used to trade pirated software and media.
P2P software itself has now been found illegal in some cases. I suggest that you remove it.


Run HiJackThis and click " Scan", then check(tick) the following, if present:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab

Optional:Please read THIS
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

---

Reboot and post a new log.

zb1