malurogo

January 11, 2009

Hi guys,

Hope this find you all well and free of credit crunch and other woes. Got a problem I'm hoping someone can help me with.

Both my Cd drive and DVD drive display the same message when I left click on them E or F is not accesible acees denied. Strangely enough this only happens on one of the two accounts.

I recently installed an external hard drive and upgraded from Office 2003 to 2007. Not sure this has anything to do with it.

Can anyone help please?

Ta

December 3, 2007

Marco,
My turn to apologize for the delay - last week's holiday really put me behind.
It's possible that since your anti-virus had expired, it wasn't up-to-date with definitions, and downloading a new one gave you more current protection. You definitely had some nasty files that the last round with combofix should have also cleared up.
How is everything still running? No more popups or anything?
sari

Hi Sari,

Things seem to be a lot better, thank yoy very much for all your help. you guys do a great job!!

Take care

Marco

November 17, 2007

Marco,
That was helpful in finding some information. I have a different fix for you to run now.
Open a new Notepad file, then "Copy/Paste" the text in the Codebox below into it (including the URL up top):
http://www.besttechie.net/forums/index.php?showtopic=12807

Collect::
C:\WINDOWS\system32\tyekjvcbnm.exe

Suspect::
C:\WINDOWS\bnetunin.exe
C:\WINDOWS\diabswun.exe

File::
C:\WINDOWS\system32\vcmon.exe

Folder::
C:\Program Files\Video Add-on

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rsy32"=-
"NapsterShell"=-

Driver::
Windows Security Manager
Save this as CFScript.txt on your Desktop.
Referring to the picture above, drag CFScript.txt into ComboFix.exe
ComboFix will run.
Additonally, ComboFix will generate the following files on your Desktop :
A zipped file on your desktop called Submit [Date Time].zip
And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.
When CF has finished running, it will generate the ComboFix.log which will appear on your screen.
Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"
Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
Click the "Browse" button and locate the Submit [Date Time].zip file on your Desktop.
Click on the file to Select it.
Submit the file by clicking "OK"
Once the file has been submitted, you may DELETE both files on your Desktop.
Post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log
Thanks,
sari

Hi Sari,

Sorry for the delay in replying. I've followed all your instructions and attached both reports you asked for. A funny thing happened: my Antivirus programme expired and on downloading the new one, thus getting rid of the older version, things seem to have got a lot better. My homepage is not longer hijacked. Could it be that the virus was in my antivitus programme?

Thanks

Marco

log.txt

main.txt

November 7, 2007

Marco,
I've had a couple of experts look at this, and we're a little confused as to why it won't run, especially since it did before. I'm going to have you run a different program to see if it cleans anything up and shows us some additional information.
Download ComboFix from Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Thanks,
sari

Hi Sari,

Here are the logs you asked for:

ComboFix 07-11-08.1 - Owner 2007-11-07 17:45:42.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT 0:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\pack.epk

c:\WINDOWS\system32\fxgenyl.dat

c:\windows\system32\fxgenyl.exe

C:\WINDOWS\system32\fxgenyl_nav.dat

C:\WINDOWS\system32\fxgenyl_navps.dat

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\u2g.f

C:\WINDOWS\system32\winiconmon.ico

C:\WINDOWS\system32\winiconmon.ico.bak0

.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))

.

2007-11-07 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-05 13:17 <DIR> d-------- C:\Program Files\Navilog1

2007-10-28 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-10-25 13:09 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-10-25 13:09 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-10-25 13:09 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-10-25 13:09 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-10-25 13:09 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-10-24 18:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-10-24 18:02 3,942 --a------ C:\WINDOWS\system32\tmp.reg

2007-10-22 18:50 <DIR> d-------- C:\Deckard

2007-10-22 18:11 <DIR> d-------- C:\Program Files\Video Add-on

2007-10-10 09:32 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-28 19:09 --------- d-----w C:\Program Files\Apple Software Update

2007-10-24 23:10 --------- d-----w C:\Program Files\QuickTime

2007-10-24 23:06 --------- d-----w C:\Program Files\iTunes

2007-10-24 22:57 --------- d-----w C:\Program Files\Ares

2007-10-24 19:50 --------- d-----w C:\Program Files\Common Files\Adobe

2007-10-24 07:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2007-10-22 18:53 --------- d-----w C:\Program Files\Trend Micro

2007-09-28 08:28 --------- d-----w C:\Program Files\DC++

2007-09-15 19:45 --------- d-----w C:\Program Files\Mordor II

2007-09-11 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent

2007-09-10 18:25 --------- d-----w C:\Program Files\WildGames

2007-09-10 16:25 --------- d-----w C:\Program Files\DevastationZoneTroopers_at

2007-09-10 15:28 --------- d-----w C:\Program Files\The Dark Legions

2007-09-10 15:27 --------- d-----w C:\Program Files\MrRobot

2007-09-10 15:26 --------- d-----w C:\Program Files\Crimsonland

2007-09-10 11:27 86,528 ----a-w C:\WINDOWS\bnetunin.exe

2007-09-10 11:27 61,440 ----a-w C:\WINDOWS\diabswun.exe

2007-09-10 10:06 --------- d-----w C:\Program Files\Virtual Villagers

2007-09-03 15:28 276,480 ----a-w C:\WINDOWS\system32\tyekjvcbnm.exe

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-16 16:24 25,980,320 ----a-w C:\Program Files\FLV PlayerRCSetup.exe

2007-04-16 16:24 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe

2006-12-06 19:52 1,703 ----a-w C:\Program Files\tileb-hx.ide

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]

2007-10-24 17:48 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-22 18:11 78336]

[HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-22 18:11 78336]

[HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 13:37]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 13:19]

"rsy32"="C:\WINDOWS\System32\rsy32.exe" []

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 23:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 12:19]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]

"NapsterShell"="C:\Program Files\Napster\napster.exe" []

"Picasa Media Detector"="D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [2006-12-12 00:36]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-06 09:17]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]

"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 22:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Picasa Media Detector"=D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-06 09:17:02]

TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [2006-06-09 16:57:50]

S2 Windows Security Manager;Windows Security Manager;"C:\WINDOWS\system32\vcmon.exe"

S3 CPTWGU(TalkTalk);TalkTalk SNU5630NS/05 Wireless USB Adapter(TalkTalk);C:\WINDOWS\system32\DRIVERS\CPTWGU.sys

.

Contents of the 'Scheduled Tasks' folder

"2007-11-01 13:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-11-07 17:37:58 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6144042F-5447-427E-8D14-3D5A94F277F8}.job"

- C:\WINDOWS\system32\msfeedssync.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-08 17:48:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-08 17:49:18

.

--- E O F ---

Deckard's System Scanner v20071014.68

Run by Owner on 2007-11-08 17:50:00

Computer is in Normal Mode.

--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:50:26, on 08/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Owner\Desktop\dss.exe

C:\WINDOWS\system32\msfeedssync.exe

D:\NAPO\MYDOCU~1\MYDOWN~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll

O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Picasa Media Detector] D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk = C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165445224218

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165447675281

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/NewUploader/ImageUploader4.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Windows Security Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)

--

End of file - 7897 bytes

-- Files created between 2007-10-08 and 2007-11-08 -----------------------------

2007-11-05 13:17:38 0 d-------- C:\Program Files\Navilog1

2007-10-28 19:09:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-10-25 13:09:47 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-10-25 13:09:47 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2007-10-25 13:09:47 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-10-25 13:09:47 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2007-10-25 13:09:47 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-10-24 18:14:00 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-10-24 18:02:06 3942 --a------ C:\WINDOWS\system32\tmp.reg

2007-10-24 17:43:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera

2007-10-22 18:11:35 0 d-------- C:\Program Files\Video Add-on

-- Find3M Report ---------------------------------------------------------------

2007-10-28 19:09:52 0 d-------- C:\Program Files\Apple Software Update

2007-10-25 12:29:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

2007-10-24 23:10:53 0 d-------- C:\Program Files\QuickTime

2007-10-24 23:06:39 0 d-------- C:\Program Files\Messenger

2007-10-24 23:06:15 0 d-------- C:\Program Files\iTunes

2007-10-24 22:57:06 0 d-------- C:\Program Files\Ares

2007-10-24 19:50:26 0 d-------- C:\Program Files\Common Files\Adobe

2007-10-24 07:52:45 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM

2007-10-22 18:53:51 0 d-------- C:\Program Files\Trend Micro

2007-09-28 08:28:38 0 d-------- C:\Program Files\DC++

2007-09-15 19:45:00 0 d-------- C:\Program Files\Mordor II

2007-09-10 18:25:46 0 d-------- C:\Program Files\WildGames

2007-09-10 16:25:09 0 d-------- C:\Program Files\DevastationZoneTroopers_at

2007-09-10 15:28:37 0 d-------- C:\Program Files\The Dark Legions

2007-09-10 15:27:12 0 d-------- C:\Program Files\MrRobot

2007-09-10 15:26:27 0 d-------- C:\Program Files\Crimsonland

2007-09-10 11:27:44 61440 --a------ C:\WINDOWS\diabswun.exe

2007-09-10 11:27:44 86528 --a------ C:\WINDOWS\bnetunin.exe

2007-09-10 10:06:10 0 d-------- C:\Program Files\Virtual Villagers

2007-09-03 15:28:00 276480 --a------ C:\WINDOWS\system32\tyekjvcbnm.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}]

24/10/2007 17:48 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [22/10/2007 18:11 78336]

[-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2003 13:37]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 13:19]

"rsy32"="C:\WINDOWS\System32\rsy32.exe" []

"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [19/07/2005 17:32]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 15:24]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 15:14]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [08/03/2006 13:30]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 09:36]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [29/09/2003 23:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [21/03/2006 12:19]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 21:32]

"NapsterShell"="C:\Program Files\Napster\napster.exe" []

"Picasa Media Detector"="D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe" [12/12/2006 00:36]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [06/04/2007 09:17]

"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [08/06/2005 14:44]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]

"ares"="C:\Program Files\Ares\Ares.exe" [14/05/2007 22:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Picasa Media Detector"=D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 18:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [06/04/2007 09:17:02]

TalkTalk SNU5630NS 05 Wireless USB Adapter.lnk - C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe [09/06/2006 16:57:50]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-11-08 17:50:52 ------------

November 5, 2007

Marco,
I have a couple of things for you to do.
Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Now, it may be that the Activescan deleted part of your Combofix. Please download it again, then follow the directions below:
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Please include the fixnavi.txt, the sdfix log, the smitfraudfix log, and a new hijackthis log in your reply.
thanks,
sari

Hi Sari,

Thanks very much for your patient help. Bad news I'm afraid. I've got the same problem as when I tried to run Smitfraudfix on Safe Mode; I can't do it, when I type Y to run the program nothing happens and the cursor gets still I can't move it and my only alternative as far as I can see is to reboot the computer.

Another thing that may be relevant: every time I log on to my account the following message appears: "TmPfw has encountered a problem and needs to close. We are sorry for the inconvenience." This message didn't appear before the virus infected my PC.

Thanks again

Marco

October 29, 2007

Marco,
I just re-read my instructions and realized they're outdated. Smitfraudfix is an executable file - you should just be able to doubleclick on the icon to run it. Then you get a message about joedanger not being involved with the program, and are asked to press any key to continue. Is that what happens? What do you mean by your computer gets blocked?
sari

Yes that's what happens, I've tried again but clicking on the smitfraudfix icon directly, I press any key and the program doesn't run it gets stuck. I can't move the cursor or do anything so I have to manually switch off the computer.

Marco

October 29, 2007

marco,
You had a new variant of smitfraud that the tool didn't get. I notified the developer and he updated it last night. I'd like you to delete your current version of smitfraudfix.
Please download SmitfraudFix (by S!Ri) to your Desktop.
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Thanks,
sari

hI Sari,

Following your instructions I've installed the newest version of Smitfraud and tried to run it on Safe Mode but I can't do it.

When I click on smitfraudfix.cmd a new window opens where it prompts me to press a key, I do this and the computer gets blocked. I can only turn it off and restart again and the same thing happens time and time again.

Another thing: this virus has also hijacked my Antivirus program which I cannot access.

thanks

Marco

October 25, 2007

Marco,
Hi, and welcome to Besttechie.net. You have a few problems in your log, so let's get you cleaned up.
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
Please post the rapport.txt, the Activescan report, and a new hijackthis log in your reply.
Thanks,
sari

Hi Sari and thanks for your help.

I have got rid of those two buggers but my homepage remains hijacked by this website:http://asecurityassurance.com/ I've tried to change it to my usual using Internet Options but it will not allow me to do so. Another problem I have is that whenever I try to acces PDF type web pages my browser closes automatically.

These are the reports you requested:

SmitFraudFix v2.240

Scan done at 19:02:00.67, 24/10/2007

Run from C:\Documents and Settings\Yoly\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{ab75cc7d-2751-4144-a278-5462d5a5884c}"="bokard"

[HKEY_CLASSES_ROOT\CLSID\{ab75cc7d-2751-4144-a278-5462d5a5884c}\InProcServer32]

@="C:\WINDOWS\system32\dfrep.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ab75cc7d-2751-4144-a278-5462d5a5884c}\InProcServer32]

@="C:\WINDOWS\system32\dfrep.dll"

127.0.0.1 localhost

S!Ri's WS2Fix: LSP not Found.

GenericRenosFix by S!Ri

C:\WINDOWS\system32\dfrep.dll -> Hoax.Win32.Renos.gen.o

C:\WINDOWS\system32\dfrep.dll -> Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A51BBA3E-D43B-44A6-803E-41CF8BF6D43F}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

Registry Cleaning done.

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

Incident Status Location

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmdl.dll

Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}

Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d}

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Deckard\System Scanner\20071024184951\backup\WINDOWS\temp\NSIS_Install_igb.exe

Potentially unwanted tool:Application/SpywareSecure Not disinfected C:\Deckard\System Scanner\20071024184951\backup\WINDOWS\temp\NSIS_SpywareSecure_trial_setup.exe

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\guest@xiti[1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.112.2o7.net/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.2o7.net/]

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.adultfriendfinder.com/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.bravenet.com/]

Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.cs.sexcounter.com/]

Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.paycounter.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[.weborama.fr/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejlx71rq.default\cookies.txt[www.web-stat.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adtech[1].txt

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt

Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt

Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[1].txt

Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\pskill.exe

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.advertising.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[hc2.humanclick.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[hc2.humanclick.com/hc/87506651]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[bilbo.counted.com/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.tradedoubler.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.bluestreak.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.perf.overture.com/]

Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.adviva.net/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.zedo.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@2o7[2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@adrevolver[1].txt

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@adtech[1].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@advertising[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@atdmt[2].txt

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@bluestreak[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@burstnet[2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@casalemedia[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@doubleclick[1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@fastclick[2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@go[2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][3].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@mediaplex[1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@questionmarket[2].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@realmedia[2].txt

Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@research-int[1].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@serving-sys[1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@statcounter[2].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Yoly\Cookies\[email protected][2].txt

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@tradedoubler[1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@tribalfusion[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Yoly\Cookies\yoly@xiti[1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\Process.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\Reboot.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix\restart.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Yoly\Desktop\SmitfraudFix.exe

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Yoly\Local Settings\Application Data\Mozilla\Firefox\Profiles\35nojpbr.default\Cache\51F1B901d01

Potentially unwanted tool:Application/SpywareSecure Not disinfected C:\Documents and Settings\Yoly\My Documents\My Videos\SpywareSecure_trial_setup.exe

Adware:Adware/PC-Prot Not disinfected C:\Program Files\Video Add-on\ictun.exe

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmm.exe

Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\isfmntr.exe

Adware:Adware/Trymedia Not disinfected C:\RECYCLER\S-1-5-21-1060284298-602162358-839522115-1003\Dc143.exe

Adware:Adware/Trymedia Not disinfected C:\RECYCLER\S-1-5-21-1060284298-602162358-839522115-1003\Dc145.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected D:\NAPO\my documents\My Downloads\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected D:\NAPO\my documents\My Downloads\smitRem.exe[smitRem/Process.exe]

Virus:Trj/Downloader.FA Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[aud-cnet9.exe]

Virus:Trj/Downloader.EF Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[augscrsvr.exe]

Spyware:Spyware/Systemcheck Not disinfected D:\NAPO\my documents\Screensavers\Dolphins-Screensaver-v311.exe[dolphinschk.exe]

Potentially unwanted tool:Application/MyWay Not disinfected D:\NAPO\my documents\Screensavers\ocean.EXE

Adware:Adware/Exact.SearchBar Not disinfected D:\NAPO\my documents\Screensavers\Real-3D-Matrix.exe[data\App\4\exact.exe]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:14:44, on 25/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

D:\new\my documents\My Downloads\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\PROGRA~1\MESSEN~1\msmsgs.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\TalkTalk\TalkTalk SNU5630NS 05 Wireless USB Adapter Utility\TTUSBBGMonitor.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)