Skip to main content

zbestwun2001

3 Apprentice

 • 

8.8K Posts

May 15th, 2007 12:00

Please download the HJT version that is offered at the top of the page. You are using the BETA version HJT program.



Please download SmitfraudFix (by S!Ri) to your Desktop.


Download AVG Anti-Spyware from HERE and save that file to your desktopIn Servis, click the " Extended tab" and scroll down the list to find AVG anti-spyware guard.When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
  • Once the setup is complete you will need run AVG AS and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, manually update with the AVG AS Full database installer from here.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
      • Close AVG Anti-Spyware, Do Not run a scan just yet. We will shortly.


        Double-click smitfraudfix.exe
        Select option #1 - Search by typing 1 and press " Enter"; a text file will appear, which lists infected files (if present).
        Please copy/paste the content of that report into your next reply.

        IMPORTANT: Do NOT run any other options until you are asked to do so!

        Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
        http://www.beyondlogic.org/consulting/proc...processutil.htm




        ************************

        zb1

        Message Edited by zbestwun2001 on 05-15-2007 06:54 AM

      Bugbatter

      3 Apprentice

       • 

      20.5K Posts

      May 15th, 2007 12:00

      Welcome :)

      We are reviewing your log and one of the analysts will reply soon. Thank you for waiting patiently.

      zbestwun2001

      3 Apprentice

       • 

      8.8K Posts

      May 15th, 2007 23:00

      You are doing just fine.

      Open Avg anti-Spyware. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right-click on AVG AS in the system tray and uncheck "Start with Windows".
      Go to Start > Run and type: services.msc
      Press "OK".
      In Services, click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
      When you find the guard service, double-click on it.
      In the Properties Window > General Tab that opens, click the "Stop" button.
      >From the drop-down menu next to "Startup Type", click on "Manual".
      Now click "Apply", then "OK" and close the Services window.



      Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

      Please reboot your computer in Safe Mode by doing the following :
      • Restart your computer
      • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
      • Instead of Windows loading as normal, a menu with options should appear;
      • Select the first option, to run Windows in Safe Mode, then press "Enter".
      • Choose your usual account.
      Once in Safe Mode, double-click on SmitfraudFix.exe again.
      Select option #2 - Clean by typing 2 and press " Enter" to delete infected files.

      You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

      The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

      The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.
      A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report along with all others into your next reply along with a new HijackThis log.
      The report can also be found at the root of the system drive, usually at C:\rapport.txt

      Warning : Running option #2 on a non-infected computer will remove your Desktop background.


      ____________________________________________________________

      Clean out your Temporary Internet files. Proceed like this:
      • Quit Internet Explorer and quit any instances of Windows Explorer.
      • Click Start, click Control Panel, and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
      Next Click Start, click Control Panel and then double-click Display.
      Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
      Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
      ______________________________

      Close ALL open Windows / Programs / Folders.

      • While in Safe Mode, launch AVG Anti-Spyware by double-clicking the icon on your desktop.
      • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
      • AVG AS will now begin the scanning process, be patient this may take a little time.
      • Once the scan is complete do the following:
      • If you have any infections you will prompted, then select "Apply all actions"
      • Next select the "Reports" icon at the top.
      • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
      • Close AVG AS and reboot your system back into Normal Mode.


      In your next reply please include:

      1. The report from SmitfraudFix found here: C:\rapport.txt
      2. The report from AVG AS
      3. A fresh HijackThis log

      You may need several replies to post the requested logs; otherwise they might get cut off.

      Message Edited by zbestwun2001 on 05-15-2007 05:46 PM

      JimboGavbo

      9 Posts

      May 15th, 2007 23:00

      I sure hope I'm doing this right!  Here's my log.  Thank you!
       
      SmitFraudFix v2.181
      Scan done at 20:11:35.67, Tue 05/15/2007
      Run from C:\Documents and Settings\Jim\Desktop\SmitfraudFix
      OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
      The filesystem type is NTFS
      Fix run in normal mode
      »»»»»»»»»»»»»»»»»»»»»»»» Process
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Image ActiveX Access\iesmn.exe
      C:\Program Files\Image ActiveX Access\imsmain.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\WINDOWS\BCMSMMSG.exe
      C:\WINDOWS\system32\dla\tfswctrl.exe
      C:\Program Files\Dell\Media Experience\PCMService.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
      C:\Program Files\Common Files\Real\Update_OB\realsched.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
      C:\Program Files\DIGStream\digstream.exe
      C:\Program Files\ESPNRunTime\DIGServices.exe
      C:\Program Files\Image ActiveX Access\imsmn.exe
      C:\Program Files\Winamp\winampa.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
      C:\Program Files\Image ActiveX Access\iesmin.exe
      C:\Program Files\DellSupport\DSAgnt.exe
      C:\WINDOWS\system32\cisvc.exe
      C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
      C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\wanmpsvc.exe
      C:\Program Files\Canon\XXX/XXXMAIN.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\WINDOWS\system32\cidaemon.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
      C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\guard.exe
      C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\avgas.exe
      C:\WINDOWS\system32\cmd.exe
      »»»»»»»»»»»»»»»»»»»»»»»» hosts

      »»»»»»»»»»»»»»»»»»»»»»»» C:\

      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

      »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
      C:\WINDOWS\system32\dfrgsrv.exe FOUND !
      C:\WINDOWS\system32\uimcu.dll  FOUND !
      »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim

      »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim\Application Data

      »»»»»»»»»»»»»»»»»»»»»»»» Start Menu
      C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
      C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
      »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\jim\FAVORI~1

      »»»»»»»»»»»»»»»»»»»»»»»» Desktop
      C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
      C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !
      »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
      C:\Program Files\SpyLocked 3.9\ FOUND !
      »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

      »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
       
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
      "Source"="About:Home"
      "SubscribedURL"="About:Home"
      "FriendlyName"="My Current Home Page"
       
      »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
      !!!Attention, following keys are not inevitably infected!!!
      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
      "{6ad686b9-ab56-4ebc-a804-9f70b55b4577}"="floripondio"
      [HKEY_CLASSES_ROOT\CLSID\{6ad686b9-ab56-4ebc-a804-9f70b55b4577}\InProcServer32]
      @="C:\WINDOWS\system32\uimcu.dll"
      [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6ad686b9-ab56-4ebc-a804-9f70b55b4577}\InProcServer32]
      @="C:\WINDOWS\system32\uimcu.dll"
       
      »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
      !!!Attention, following keys are not inevitably infected!!!
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
      "AppInit_DLLs"=""

      »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
      !!!Attention, following keys are not inevitably infected!!!
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      "System"=""

      »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
       
      »»»»»»»»»»»»»»»»»»»»»»»» DNS
      Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
      DNS Server Search Order: 192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

      »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

      »»»»»»»»»»»»»»»»»»»»»»»» End
       

      JimboGavbo

      9 Posts

      May 16th, 2007 07:00

      Here is the hijack this log, thanks!
       
      Logfile of HijackThis v1.99.1
      Scan saved at 4:46:56 AM, on 5/16/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16441)
      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
      C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\guard.exe
      C:\WINDOWS\system32\cisvc.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\wanmpsvc.exe
      C:\Program Files\Canon\XXX\XXXMAIN.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\hkcmd.exe
      C:\WINDOWS\BCMSMMSG.exe
      C:\WINDOWS\system32\dla\tfswctrl.exe
      C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
      C:\Program Files\Dell\Media Experience\PCMService.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
      C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
      C:\Program Files\Common Files\Real\Update_OB\realsched.exe
      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      C:\Program Files\DIGStream\digstream.exe
      C:\Program Files\ESPNRunTime\DIGServices.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Winamp\winampa.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\avgas.exe
      C:\Program Files\DellSupport\DSAgnt.exe
      C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Hijackthis\HijackThis.exe
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
      O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
      O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
      O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
      O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
      O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
      O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
      O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
      O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
      O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
      O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
      O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe   /brand=ESPN   /priority=0   /poll=24
      O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
      O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0 -reboot 1
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
      O4 - Global Startup: Image Transfer.lnk = ?
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
      O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
      O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
      O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
      O9 - Extra button: Golden Palace Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\GOLDEN~1\client.exe
      O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
      O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
      O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
      O9 - Extra button: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
      O9 - Extra 'Tools' menuitem: Vegas Red Casino - {D5AE2D6D-38A7-425c-86C0-E4ABBDB9EC68} - C:\Casino\Vegas Red Casino\casino.exe
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
      O11 - Options group: [INTERNATIONAL] International*
      O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
      O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
      O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
      O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
      O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
      O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myconnection.wellpoint.com/dana-cached/setup/NeoterisSetup.cab
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
      O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
      O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
      O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
      O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
      O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
      O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\Jim\Desktop\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Canon Camera Access Library 8 (CXXXib8) - Canon Inc. - C:\Program Files\Canon\XXX\XXXMAIN.exe
      O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
      O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
       

      JimboGavbo

      9 Posts

      May 16th, 2007 07:00

      Also have a quick question:  why won't this message board allow me to post a message with the three letters C, A and L in the body?  I've had to remove these and replace them with XXX.

      JimboGavbo

      9 Posts

      May 16th, 2007 07:00

      Well... I believe I've successfully done everything you directed me to.  Things are getting better.  The incessant popups have subsided, but my browser is still hijacked.  It always routes to the page www.secureuptodate.com
       
      Here's my SmitFraudFix log.  I'll post my hijack this log in another message.  There was no AVG AS report available.
       
      SmitFraudFix v2.181
      Scan done at 20:40:37.65, Tue 05/15/2007
      Run from C:\Documents and Settings\Jim\Desktop\SmitfraudFix
      OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
      The filesystem type is NTFS
      Fix run in safe mode
      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
      !!!Attention, following keys are not inevitably infected!!!
      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
      "{6ad686b9-ab56-4ebc-a804-9f70b55b4577}"="floripondio"
      [HKEY_CLASSES_ROOT\CLSID\{6ad686b9-ab56-4ebc-a804-9f70b55b4577}\InProcServer32]
      @="C:\WINDOWS\system32\uimcu.dll"
      [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6ad686b9-ab56-4ebc-a804-9f70b55b4577}\InProcServer32]
      @="C:\WINDOWS\system32\uimcu.dll"

      »»»»»»»»»»»»»»»»»»»»»»»» Killing process

      »»»»»»»»»»»»»»»»»»»»»»»» hosts

      127.0.0.1       localhost
      »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
      GenericRenosFix by S!Ri

      »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
      C:\WINDOWS\system32\dfrgsrv.exe Deleted
      C:\WINDOWS\system32\uimcu.dll Deleted
      C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
      C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
      C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
      C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
      C:\Program Files\SpyLocked 3.9\ Deleted
      »»»»»»»»»»»»»»»»»»»»»»»» DNS
      HKLM\SYSTEM\CCS\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\..\{9AC09192-E81A-457A-B4FF-F2C6E284921F}: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
      HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

      »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

      »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
      !!!Attention, following keys are not inevitably infected!!!
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      "System"=""

      »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
       
      Registry Cleaning done.
       
      »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
      !!!Attention, following keys are not inevitably infected!!!
      SrchSTS.exe by S!Ri
      Search SharedTaskScheduler's .dll

      »»»»»»»»»»»»»»»»»»»»»»»» End
       

      zbestwun2001

      3 Apprentice

       • 

      8.8K Posts

      May 16th, 2007 13:00

      Please reread the instructions for AVG and you will see where there is a report generated that you can post. You need to save it to you desktop.



      Close ALL open Windows / Programs / Folders.

      * While in Safe Mode, launch AVG Anti-Spyware by double-clicking the icon on your desktop.
      * Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
      * AVG AS will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
      * If you have any infections you will prompted, then select "Apply all actions"
      * Next select the "Reports" icon at the top.
      * Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
      * Close AVG AS and reboot your system back into Normal Mode
      Run Disk Cleanup in each user's profile:
      Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
      Please make sure the following are checked:
      -- Downloaded Program Files
      -- Temporary Internet Files
      -- Recycle Bin
      -- Temporary Files
      Click "OK" and Disk Cleanup will delete those files for you.


      Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

      Updating Java:
      • Download the latest version of Java Runtime Environment (JRE) 6u1.
      • Scroll down to where it says "Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".
      • Click the "Download" button to the right.
      • Check the box that says: "Accept License Agreement".
      • The page will refresh.
      • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
      • Close any programs you may have running - especially your web browser.
      • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
      • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
      • Click the Remove or Change/Remove button.
      • Repeat as many times as necessary to remove each Java versions.

      • Reboot your computer once all Java components are removed.
      • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

      Official JAVA Installation Instructions if needed.



      Reboot and post a new HJT log.

      ****************************

      zb1

      Message Edited by zbestwun2001 on 05-16-2007 02:44 PM

      Was this post helpful?

      View All

      No Events found!

      Top