Author Topic: Please help my interenet explorer is infected (Read 16934 times)

sandryly1 · « **on:** December 14, 2007, 07:26:03 PM »

My computer got infected i do have an antivirus but i think it happen while downloading music, thank you for your help in advance

I am not able to run the hijack complete cause is too long please advice.

Sandra

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:53 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Broni · « **Reply #1 on:** December 14, 2007, 07:30:14 PM »

1. Run free online scan at: http://housecall.trendmicro.com/
Post HouseCall log.

2. Download and scan with SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print this instructions out.

SUPERAntiSpyware should be run in Safe Mode.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

sandryly1 · « **Reply #2 on:** December 14, 2007, 10:07:09 PM »

Please tell me what i am doing wrong when i try to reply with the log it tells me that it exeeds the 1,000 words, what i am ding wrong???

Broni · « **Reply #3 on:** December 14, 2007, 10:12:53 PM »

Oh, OK.
The easiest way...
Open log in Notepad, and "Save As" .txt file (originally it's .log type of file).
Then, when you reply, use "Additional Options", and attach your file:

sandryly1 · « **Reply #4 on:** December 14, 2007, 10:40:53 PM »

I saved as a txt and still not letting me attached

sandryly1 · « **Reply #5 on:** December 14, 2007, 10:46:35 PM »

The only options that i have are:

log files and log files (*.*)

Broni · « **Reply #6 on:** December 14, 2007, 10:51:30 PM »

sandryly1
Open first log file in Notepad, click File, then Save As, and save it as .txt file.
Then attach.
Check the file size. It can't be bigger, then 128 KB, but it shouldn't be.

sandryly1 · « **Reply #7 on:** December 14, 2007, 11:09:06 PM »

I dont know what is going on, i did exactly what you told me and i keep getting the same message is there any other way to do it??

Broni · « **Reply #8 on:** December 14, 2007, 11:11:44 PM »

OK, highlight half of your first log, copy, and paste in your reply. Do the same with second half, and paste it into next reply.

sandryly1 · « **Reply #9 on:** December 14, 2007, 11:13:17 PM »

pplication Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Quick Scan
Total Scan Time : 00:49:48

Memory items scanned : 586
Memory threats detected : 0
Registry items scanned : 831
Registry threats detected : 39
File items scanned : 31658
File threats detected : 10

Adware.MyWebSearch
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
   C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\8.BIN\MWSSRCAS.DLL
   HKU\S-1-5-21-584176141-2514272421-2728105404-1008\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32#ThreadingModel
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\Programmable

Adware.Tracking Cookie
   c:\documents and settings\hp_administrator\cookies\hp_administrator@mywebsearch[1].txt

Adware.HotBar/SpamBlockerUtility (Low Risk)
   C:\Documents and Settings\HP_Administrator\Application Data\SpamBlocker\Personal Folders
   C:\Documents and Settings\HP_Administrator\Application Data\SpamBlocker
   HKCR\SpamBlockerConfig.Application
   HKCR\SpamBlockerConfig.Application\Clsid
   HKCR\SpamBlockerConfig.Application.1
   HKCR\SpamBlockerConfig.Application.1\Clsid

Malware.Ultimate Defender
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender\logs\1165996780.log
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender\logs
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender
   C:\WINDOWS\SYSTEM32\TMPWISC2.EXE

sandryly1 · « **Reply #10 on:** December 14, 2007, 11:14:08 PM »

:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OFK System - {E2D31F0C-78A4-4713-A7E4-6F4A50525D4B} - C:\WINDOWS\blopenvtrm.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O3 - Toolbar: The retnsrp - {D528386A-A286-4697-9C9C-47856CCD7F67} - C:\WINDOWS\retnsrp.dll
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 200
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\8.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: nopzet - {D11BA613-31F8-42DA-AA4C-75CBA99FAA5C} - C:\WINDOWS\nopzet.dll
O21 - SSODL: leorop - {0B7728A6-03CC-4309-A8E8-941FEBC1A9AF} - C:\WINDOWS\leorop.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

sandryly1 · « **Reply #11 on:** December 14, 2007, 11:15:17 PM »

will that be good in the last one i was able to copy the whole thing

Broni · « **Reply #12 on:** December 14, 2007, 11:17:46 PM »

Beginning of HijackThis log is cut off. Try again.

Broni · « **Reply #13 on:** December 14, 2007, 11:20:10 PM »

SUPERAntiSpyware was supposed to be run as Complete Scan, not Quick Scan. Did you run it in Safe Mode? Is it complete log.
HouseCall log is missing.

sandryly1 · « **Reply #14 on:** December 14, 2007, 11:20:51 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:52 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe

sandryly1 · « **Reply #15 on:** December 14, 2007, 11:31:26 PM »

probably because the initial set up was not done correctly? should I reinstalled and re runned on safe mode?

house call log is coming next

Broni · « **Reply #16 on:** December 14, 2007, 11:34:40 PM »

Quote

should I reinstalled and re runned on safe mode?

You didn't uninstall it, yet did you?
Print out my manual, how to use it, and follow it. Yes, in Safe Mode.

sandryly1 · « **Reply #17 on:** December 14, 2007, 11:58:48 PM »

Broni,

I did not deleted, but let me try and run it in safe mode now, i think this is going to take a while

Broni · « **Reply #18 on:** December 15, 2007, 12:03:53 AM »

Take your time...

sandryly1 · « **Reply #19 on:** December 15, 2007, 12:11:42 AM »

I followed your instructions and i not sure if the screen is supposed to go in a safe mode or the program is just run as safe mode, but i did followed your instructions line by line.

Broni · « **Reply #20 on:** December 15, 2007, 12:19:12 AM »

To enter Safe Mode....
Restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode
You'll see "Safe Mode" in all four corners of your screen.

sandryly1 · « **Reply #21 on:** December 15, 2007, 12:25:05 AM »

ok then i will do that thank you

Broni · « **Reply #22 on:** December 15, 2007, 12:29:38 AM »

After you do that, post its log, run HijackThis AGAIN, and post its fresh log. Don't forget to post also HouseCall log.

Broni · « **Reply #23 on:** December 15, 2007, 12:34:17 AM »

I'm getting ready for bed, so I'll see you tomorrow. Good luck.

sandryly1 · « **Reply #24 on:** December 15, 2007, 11:48:01 AM »

Sorry i could not get back to you, but it took my computer to run the supreantispyware 9 hours to run. Now when i did the log it is not showing me the one i did at 11:06pm it only shows the quick scan at 8:42pm is it cause it was done in a safe mode that i am not able to see the log, sow i rebot the computer again, it already rebot once after the scan.

I will pos the logs hopefully this time i am able to attach them.

Broni · « **Reply #25 on:** December 15, 2007, 11:50:36 AM »

sandryly1 · « **Reply #26 on:** December 15, 2007, 12:09:38 PM »

Hi Broni, nice to have you back !!

I run the safemode whole scan and still showing as quick scan in the log.

Broni · « **Reply #27 on:** December 15, 2007, 12:12:01 PM »

It's OK...Post all three logs. With HijackThis, make sure, you post fresh log.

sandryly1 · « **Reply #28 on:** December 15, 2007, 12:13:05 PM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2007 at 08:42 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Quick Scan
Total Scan Time : 00:49:48

Memory items scanned : 586
Memory threats detected : 0
Registry items scanned : 831
Registry threats detected : 39
File items scanned : 31658
File threats detected : 10

Adware.MyWebSearch
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
   HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
   C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\8.BIN\MWSSRCAS.DLL
   HKU\S-1-5-21-584176141-2514272421-2728105404-1008\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\InprocServer32#ThreadingModel
   HKCR\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\Programmable

Adware.Tracking Cookie
   c:\documents and settings\hp_administrator\cookies\hp_administrator@mywebsearch[1].txt

Adware.HotBar/SpamBlockerUtility (Low Risk)
   C:\Documents and Settings\HP_Administrator\Application Data\SpamBlocker\Personal Folders
   C:\Documents and Settings\HP_Administrator\Application Data\SpamBlocker
   HKCR\SpamBlockerConfig.Application
   HKCR\SpamBlockerConfig.Application\Clsid
   HKCR\SpamBlockerConfig.Application.1
   HKCR\SpamBlockerConfig.Application.1\Clsid

Malware.Ultimate Defender
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender\logs\1165996780.log
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender\logs
   C:\Documents and Settings\HP_Administrator\Application Data\Ultimate Defender
   C:\WINDOWS\SYSTEM32\TMPWISC2.EXE

Adware.Zango Toolbar/Hb
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32#ThreadingModel
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\ProgID
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\Programmable
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\TypeLib
   HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\VersionIndependentProgID
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0\win32
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\FLAGS
   HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\HELPDIR
   HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
   HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
   HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
   HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
   HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version

Trojan.DNSChanger-Codec
   HKCR\AdultAccess
   HKCR\AdultAccess\CLSID

Trojan.Net-MSV/VPS
   HKCR\MSVPS.MSVPSApp
   HKCR\MSVPS.MSVPSApp\CLSID
   HKCR\MSVPS.MSVPSApp\CurVer

Browser Hijacker.Favorites
   C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\FAVORITES\ONLINE SECURITY TEST.URL

Adware.180solutions/ZangoSearch
   C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\SETUP.EXE

sandryly1 · « **Reply #29 on:** December 15, 2007, 12:13:54 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:14 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OFK System - {E2D31F0C-78A4-4713-A7E4-6F4A50525D4B} - C:\WINDOWS\blopenvtrm.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O3 - Toolbar: The retnsrp - {D528386A-A286-4697-9C9C-47856CCD7F67} - C:\WINDOWS\retnsrp.dll
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 200
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\8.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: nopzet - {D11BA613-31F8-42DA-AA4C-75CBA99FAA5C} - C:\WINDOWS\nopzet.dll
O21 - SSODL: leorop - {0B7728A6-03CC-4309-A8E8-941FEBC1A9AF} - C:\WINDOWS\leorop.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 9398 bytes

sandryly1 · « **Reply #30 on:** December 15, 2007, 12:17:29 PM »

Sorry but still waiting on house call is taking longe than expect just a few more min......is taking so long.....

Broni · « **Reply #31 on:** December 15, 2007, 12:18:18 PM »

It's OK...I'll check your HJT log in a meantime.

Broni · « **Reply #32 on:** December 15, 2007, 12:32:34 PM »

When you're done with HouseCall scan, post its log, then...

In your HJT log....
I can't see any firewall running, unless you're using Windows firewall. Is it the case?

Now...

1. Print out these instructions as we will need to close every window that is open later in the fix.

2. Download SmitfraudFix.exe from here and save it to your desktop:

http://www.bleepingcomputer.com/files/smitfraudfix.php

3. Next, please reboot your computer into Safe Mode by doing the following:

a. Restart your computer

b. Start tapping F8 key

c. A menu will appear

d. Select the first option, to run Windows in Safe Mode.

4. Close all open Windows.

5. Now, double-click on the SmitFraudfix icon.

6. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

7. You will now see a menu. Press the number 2 on your keyboard and the press the Enter key to choose the option Clean.

8. The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program.
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up a long time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.

9. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the Enter key.

10. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.

11. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer.
Save that log to your desktop, and attach it to your next reply.

Post fresh HijackThis log, too.

sandryly1 · « **Reply #33 on:** December 15, 2007, 12:51:39 PM »

This is what i got from trend micro log:

Skip to main content
Skip to primary navigation
Skip to quick links navigation
Skip to auxilary navigation
Skip to search
Threats

Virus Encyclopedia

POSSIBLE_OBFUS

Overview Solution Statistics

QUICK LINKS
Understanding New Pattern Format | Printer Friendly Page

--------------------------------------------------------------------------------

Malware type: Trojan

Aliases: Trojan-Downloader.Win32.Obfuscated.n (Kaspersky), TR/Small.Crypted.Gen (Avira), Mal/TinyDL-H (Sophos),

In the wild: No
Overall risk rating:
Low

--------------------------------------------------------------------------------

Description:

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known OBFUSCAT variants.

To view sample detailed analyses of OBFUSCAT variants, refer to the following links:

TROJ_OBFUSCAT.CM
TROJ_OBFUSCAT.CC
More descriptions of OBFUSCAT variants can be found here.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

For additional information about this threat, see:
Solution
Statistics

Description created: Feb. 15, 2007 6:48:01 PM GMT -0800

Search a new malware
Printer Friendly Page

Tell us how we did. Take our quick survey.

Search:
Worldwide This site is for customers in the United States & Canada Contact Us Careers About Us Home Home & Home Office Small Business Medium Business Enterprise Business Partners Quick LinksSee All Products & Solutions Support Purchase Update Center Copyright (c) 1989-2007 Trend Micro Incorporated. All rights reserved.

Legal Notice Privacy Policy Contact Us
Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware...

sandryly1 · « **Reply #34 on:** December 15, 2007, 12:55:05 PM »

Sorry i had to get the log from my trend micro because when i was doing the scan i accidentally exit grrrrr!!!

I printer your instructions and will followed rigth now.

Broni · « **Reply #35 on:** December 15, 2007, 01:08:35 PM »

It's OK.

sandryly1 · « **Reply #36 on:** December 15, 2007, 01:41:40 PM »

I am back and this is the log that i got:

SmitFraudFix v2.269

Scan done at 12:16:17.37, Sat 12/15/2007
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FCAAFAD0-433F-4859-B366-37F10EFDF63A}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FCAAFAD0-433F-4859-B366-37F10EFDF63A}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FCAAFAD0-433F-4859-B366-37F10EFDF63A}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

sandryly1 · « **Reply #37 on:** December 15, 2007, 01:42:36 PM »

How do i activate the firewall in my trendmicro antivirus??

sandryly1 · « **Reply #38 on:** December 15, 2007, 01:46:10 PM »

Broni, it looks like the virus is G O N E

!!!

Broni · « **Reply #39 on:** December 15, 2007, 02:16:09 PM »

Slow down....LOL...How do you know, virus is gone?

Quote

How do i activate the firewall in my trendmicro antivirus??

You can't. Antivirus, and firewall, are two different things.
First, let's check, if your Windows firewall is on, or off.
Click Start, click Run, type Firewall.cpl, and then click OK. Let me know, what it says.

Also, I need your fresh HijackThis log

sandryly1 · « **Reply #40 on:** December 15, 2007, 04:10:33 PM »

Sorry for the delay.

You got me scare for a second

well the pop ups are not there anymor at leat popping in my computer.

Here is the log for hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:39 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Picasa2\Picasa2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OFK System - {E2D31F0C-78A4-4713-A7E4-6F4A50525D4B} - C:\WINDOWS\blopenvtrm.dll (file missing)
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O3 - Toolbar: The retnsrp - {D528386A-A286-4697-9C9C-47856CCD7F67} - C:\WINDOWS\retnsrp.dll (file missing)
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 200
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\8.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 8367 bytes

sandryly1 · « **Reply #41 on:** December 15, 2007, 04:12:35 PM »

Firewall was off(not recommended)
I turn it on is that ok??

You are a Genious!!

sandryly1 · « **Reply #42 on:** December 15, 2007, 04:14:20 PM »

Sorry

ment : "GENIUS"

Broni · « **Reply #43 on:** December 15, 2007, 04:29:56 PM »

I'm not any genius, silly...LOL
I'll check your HJT log, and you turn your firewall on, FOR NOW.

sandryly1 · « **Reply #44 on:** December 15, 2007, 04:40:43 PM »

I really appreciate you taking the time to help me solve my computer problems.

The firewall is now on.

Thank you!!!

Broni · « **Reply #45 on:** December 15, 2007, 04:44:48 PM »

We're getting close...

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

2a. Go Start>Control Panel, double click on Add/Remove, and uninstall MyWebSearch, and SearchSettings (if present)

3. Put a checkmark next to the following HijackThis entries:

- O2 - BHO: (no name) - MRI_DISABLED - (no file)

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- O2 - BHO: OFK System - {E2D31F0C-78A4-4713-A7E4-6F4A50525D4B} - C:\WINDOWS\blopenvtrm.dll (file missing)

- O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll

- O3 - Toolbar: The retnsrp - {D528386A-A286-4697-9C9C-47856CCD7F67} - C:\WINDOWS\retnsrp.dll (file missing)

- O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe

- O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\8.bin\m3IMPipe.exe"

- O4 - Startup: PowerReg Scheduler V3.exe

4. Click on "Fix It" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- SearchSettings, and MyWebSearch folders from C:\Program Files

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.
   6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

sandryly1 · « **Reply #46 on:** December 15, 2007, 06:37:06 PM »

Ok here it is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:34 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 200
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.27.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 7560 bytes

Broni · « **Reply #47 on:** December 15, 2007, 07:51:44 PM »

Congratulations! Your computer is officially free of any malwares

Now, final steps....

1. Download, and install CCleaner: http://www.ccleaner.com/
Read CCleaner instruction from here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner.

2. Download free Comodo firewall: http://www.personalfirewall.comodo.com/
Do not install it, yet.

3. Disable Windows firewall (you know already how).

4. Install Comodo.

5. Download, and install free antimalware a-squared: http://www.emsisoft.com/en/software/free/

6. Now your computer is clean, and fully protected.

Happy computing, and Merry Christmas

sandryly1 · « **Reply #48 on:** December 15, 2007, 07:57:44 PM »

I can never thank you enough for your time and help!!!

MEERY CHRISTMAS!!

Broni · « **Reply #49 on:** December 15, 2007, 08:05:45 PM »

I can be as nice during off Holiday season, too.....LOL....

Computer Hope Forum

News:

Author Topic: Please help my interenet explorer is infected (Read 16934 times)

sandryly1

Broni

sandryly1

Broni

sandryly1

sandryly1

Broni

sandryly1

Broni

sandryly1

sandryly1

sandryly1

Broni

Broni

sandryly1

sandryly1

Broni

sandryly1

Broni

sandryly1

Broni

sandryly1

Broni

Broni

sandryly1

Broni

sandryly1

Broni

sandryly1

sandryly1

sandryly1

Broni

Broni

sandryly1

sandryly1

Broni

sandryly1

sandryly1

sandryly1

Broni

sandryly1

sandryly1

sandryly1

Broni

sandryly1

Broni

sandryly1

Broni

sandryly1

Broni