1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Homepage is hijacked with spyware ad

Discussion in 'Malware and Virus Removal Archive' started by Bucksone, 2006/05/04.

  1. 2006/05/04
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I have a flashing yellow triangle with an exclamation point in it that is on my taskbar. A message pops up that says System Alert: spyware detected. It wants me to click on it to solve all of my problems. I also get a box that says Critical System Error that wants me to use its programs to save my computer. My homepage has been hijacked to some page that has the address of www.securityuptodate.com. Obviously they want me to use their products to solve the problems they created. I know better than to do that, but I need help to solve this. I've run Adaware, Spybot, and my antivirus software. I ran Hijack This and the log from that is below. Thanks in advance for any assistance.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:58:40 PM, on 5/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\dcomcfg.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\atmclk.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\system32\hp7BB7.tmp
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe "
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
    O16 - DPF: RaptisoftGameLoader - http://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.shockwave.com/content/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://web-student-3.udayton.edu/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/gdownloader.ocx
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu//VirTour/svideo.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehouse.com/games/chainz2/mjolauncher.cab
    O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/axhost.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://real.gamehouse.com/games/bewitched/launcher.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematycoon/cinematycoon.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/dinerdash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popzuma/popcaploader_v7.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
     
    Bucksone,
    #1
  2. 2006/05/04
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    This is the problem entry in your HJT log, but simply fixing it will not work - it will return ....

    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\system32\hp7BB7.tmp

    Download and run the trial version of Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ". Run Ewido and post the log here.

    Then download SmitfraudFix and extract to a folder named SmitfraudFix to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).

    Copy and paste the report here.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/05/04
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I wasn't sure if I was supposed to correct that entry in Hijack This, so I didn't. Below is my log from Ewido. Next I will follow the next bit of instructions regarding Smitfraudfix.

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 5:54:55 PM, 5/4/2006
    + Report-Checksum: 7EEA48D2

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{0661D21A-2100-DABE-13F5-4487ADBE235A} -> Adware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Common.Buttons -> Adware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
    HKU\S-1-5-21-1887652770-1093660630-2868307360-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
    [716] C:\WINNT\system32\ld71B5.tmp -> Downloader.Zlob.mr : Cleaned with backup
    C:\Documents and Settings\NetworkService\Application Data\dees.exe -> Adware.PurityScan : Cleaned with backup
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I59TT9M7\!update-2500[1].0000 -> Downloader.PurityScan.ah : Cleaned with backup
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KZA9SHM7\!update-1800[1].0000 -> Adware.PurityScan : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Owner\Desktop\DinerDashSetup-dm.exe -> Adware.Trymedia : Cleaned with backup
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Local Settings\Temp\ICD1.tmp\UWFX5LP_0001_0715NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.e : Cleaned with backup
    C:\Downloads\ApprenticeSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\CakeManiaSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\CakeManiaSetup-dm[2].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\DinerDashSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\hotelsolitaireSCSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\JewelMinerSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\TheApprenticeSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\HJT\backups\backup-20050427-200058-992.dll -> Adware.WinAD : Cleaned with backup
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
    C:\Program Files\MyPoints_PointAlert\disp800.exe -> Adware.WebRebates : Cleaned with backup
    C:\Program Files\sder\dees.exe -> Downloader.PurityScan.ah : Cleaned with backup
    C:\WINNT\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
    C:\WINNT\cxtpls_loader.exe -> Adware.Apropos : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx -> Adware.MediaTickets : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.12\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.24\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.25\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.26\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.28\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.30\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.31\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup
    C:\WINNT\prelimhanse.exe -> Adware.WebHancer : Cleaned with backup
    C:\WINNT\system32\dees.exe -> Adware.PurityScan : Cleaned with backup
    C:\WINNT\system32\ld71B5.tmp -> Downloader.Zlob.mr : Cleaned with backup
    C:\WINNT\Temp\!update.exe -> Downloader.PurityScan.ah : Error during cleaning


    ::Report End
     
    Bucksone,
    #3
  5. 2006/05/04
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Here is the Smitfraudfix report.

    SmitFraudFix v2.39

    Scan done at 17:59:51.35, Thu 05/04/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

    C:\WINNT\system32\atmclk.exe FOUND !
    C:\WINNT\system32\dcomcfg.exe FOUND !
    C:\WINNT\system32\hp????.tmp FOUND !
    C:\WINNT\system32\ot.ico FOUND !
    C:\WINNT\system32\simpole.tlb FOUND !
    C:\WINNT\system32\stdole3.tlb FOUND !
    C:\WINNT\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

    C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E} "= "Twain "

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @= "C:\WINNT\system32\twain32.dll "

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @= "C:\WINNT\system32\twain32.dll "


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
    Bucksone,
    #4
  6. 2006/05/04
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Fine, no problem with not fixing that line, which is what I implied. ....

    You may like to print out these instructions as you will be unable to connect to the Internet to read them while in Safe Mode.

    Boot into Safe Mode and log onto your usual account.

    In Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

    The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report here in your next post

    After SmitfraudFix finishes - reboot if required into Safe Mode - and run another full system scan with Ewido

    If Ewido finds anything select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

    When the scan is finished, click the Save report button at the bottom of the screen.

    Save the report to your desktop and close Ewido.

    Reboot into Normal Mode and post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, and the Ewido report and a new HijackThis log.

    Getting late over here so I'll be logging off in about 30 mins - come back before then if you can, otherwise I'll look at the results in the morning.
     
    PeteC,
    #5
  7. 2006/05/04
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Sorry it took me so long to reply. That Ewido scan took a while.

    SmitFraudFix v2.39

    Scan done at 18:31:37.42, Thu 05/04/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINNT\system32\atmclk.exe Deleted
    C:\WINNT\system32\dcomcfg.exe Deleted
    C:\WINNT\system32\hp????.tmp Deleted
    C:\WINNT\system32\ot.ico Deleted
    C:\WINNT\system32\simpole.tlb Deleted
    C:\WINNT\system32\stdole3.tlb Deleted
    C:\WINNT\system32\1024\ Deleted
    C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» End


    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 8:59:44 PM, 5/4/2006
    + Report-Checksum: 40E179D4

    + Scan result:

    C:\WINNT\Temp\!update.exe -> Downloader.PurityScan.ah : Error during cleaning


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 9:18:41 PM, on 5/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://portal.wowway.net/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    C:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://www.gateway.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator

    5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI

    Multimedia\main\ATIDtct.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

    Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program

    Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI

    Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe "
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

    Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Translate English Word - res://c:\program

    files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program

    files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

    files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: MyPoints - file://C:\Program

    Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program

    files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program

    files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

    Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

    file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

    C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} -

    file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 -

    http://64.55.105.205/Java/cfs31229.cab
    O16 - DPF: RaptisoftGameLoader -

    http://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
    O16 - DPF: Yahoo! Chat -

    http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software

    AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

    http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) -

    file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

    Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing)

    - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl

    Object) - http://www.shockwave.com/content/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -

    http://web-student-3.udayton.edu/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

    http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} (SpyBouncer.SBDownloader) -

    http://www.spybouncer.com/downloader/gdownloader.ocx
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) -

    https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}

    (TechToolsActivex.TechTools) - file://C:\Program

    Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} -

    http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control

    Object) - http://admission.udayton.edu//VirTour/svideo.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

    file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec

    all/xscan53.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) -

    http://real.gamehouse.com/games/chainz2/mjolauncher.cab
    O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class)

    - http://www.shockwave.com/content/tumblebugs/axhost.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) -

    http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetM

    eter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) -

    http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -

    http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -

    https://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

    http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

    http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

    http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass

    Control) - http://real.gamehouse.com/games/bewitched/launcher.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class)

    -

    http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/I

    nstall3.0/Installer.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

    http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -

    http://www.shockwave.com/content/cinematycoon/cinematycoon.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object)

    - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl

    Object) - http://www.playfirst.com/play/game/dinerdash/dinerdash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

    http://aolsvc.aol.com/onlinegames/popzuma/popcaploader_v7.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

    http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software

    AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

    C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program

    Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common

    Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -

    C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common

    Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link -

    C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program

    Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner -

    C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


    I hope you're well rested. Thanks for the help so far.
     
    Bucksone,
    #6
  8. 2006/05/05
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Well rested - thank you :)

    Scan again with HJT and place a checkmark against these entries and click Fix Selected.

    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner -
    C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    Post a fresh HJT log - your system should then be clean. Have the various messages disappeard ?
     
    PeteC,
    #7
  9. 2006/05/05
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Things seem to be back to normal with my computer. Thanks for all of the assistance. My HJT log is below.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:34:37 AM, on 5/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\HJT\HijackThis.exe
    C:\WINNT\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.wowway.net/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe "
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
    O16 - DPF: RaptisoftGameLoader - http://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.shockwave.com/content/trijinx/TriJinx.1.0.0.55.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://web-student-3.udayton.edu/iNotes6W.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/gdownloader.ocx
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu//VirTour/svideo.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehouse.com/games/chainz2/mjolauncher.cab
    O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/axhost.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://real.gamehouse.com/games/bewitched/launcher.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematycoon/cinematycoon.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/dinerdash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popzuma/popcaploader_v7.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
     
    Bucksone,
    #8
  10. 2006/05/05
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    A late Good Morning to you :) You look 'good to go' - to my eye your log is clean.
     
    PeteC,
    #9
  11. 2006/05/05
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Thanks again.
     
    Bucksone,
    #10

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...