0

installed something that had a malware hidden. now it's doing that fake virus alert thing and redirecting my internet clicks to some spam sites. i did a malwarebytes scan and clean that i think worked but when i did the smitfraud fix it was as if the malwarebytes fix were nullified and the problem came back. so i redid the malware bytes again and did a hijack scan. here are the scans. please help. thanks


Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

08:34:39 PM 9/1/2008
mbam-log-9-1-2008 (20-34-39).txt

Scan type: Quick Scan
Objects scanned: 39777
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.


______________________


smitfraud scan

SmitFraudFix v2.344

Scan done at 19:04:19.29, Mon 09/01/2008
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


*was asked to delete these hosts because there were too many >_<

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR8121/AR8113 PCI-E Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{58019283-A75E-4A2E-A9F9-56EE9CDAB955}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{58019283-A75E-4A2E-A9F9-56EE9CDAB955}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{58019283-A75E-4A2E-A9F9-56EE9CDAB955}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

_________________________


hijack scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:10:04, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8794 bytes

_____________________

new malware scan and fix

Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

08:34:39 PM 9/1/2008
mbam-log-9-1-2008 (20-34-39).txt

Scan type: Quick Scan
Objects scanned: 39777
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

3
Contributors
19
Replies
20
Views
9 Years
Discussion Span
Last Post by jholland1964
0

Just wish to check what we are dealing with here. By the way, those two MBAM logs look identical [time of scan]?
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"  /s >>C:\showkey.txt
start C:\showkey.txt
pause
0

Nothing else shows as bad in that log, but you could use Hijackthis to remove these [benign] RunOnce keys.... the sys should have removed them at reboot.

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

And if you still have problems... clean, then scan:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

0

the malwarebytes scan look identical because the first one was the first scan and fix that worked prior to the problem returning after i did the smitfraudfix. it was as if the smitfruadfix thing reset it back to before i did the first malwarebytes fix.

as far as the hijack fix. i found the last 3 but i couldn't find that first one that you mentioned. here is the updated hijack log after the fix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:24, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8724 bytes


one note: after this latest infection and trying to fix it, my internet page loading seems to have slowed down quite a bit. not sure why. it's like it thinks for a while before loading a page. not sure if it's related.

0

i also checked my download and upload rates and they seem fine. it's just some pages take soooooo long to load when they shouldn't and no need to. pages that i've visited before and had no problems loading. i can understand if some pages have problems loading but all of them?

0

First MBAM log:
08:34:39 PM 9/1/2008
mbam-log-9-1-2008 (20-34-39).txt - this is its filename.

Second MBAM log:
08:34:39 PM 9/1/2008 -same time of scan!
mbam-log-9-1-2008 (20-34-39).txt -same filename!!!

Anyway, what happened to the rest of my guide in Post#2?
I asked you to delete that hosts file because it was a protection hosts file to prevent those sites loading.
Running Ashampoo, Superantispyware, Adaware plus Spybot's teatimer concurrently could slow things a little. I am not up to date with Symantec... does that include a "site guard" which checks websites against a blacklist?

0

ok sorry. please don't get upset about it. i'm already stressed about it enough as it is.

Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

09:04:00 AM 9/1/2008
mbam-log-9-1-2008 (09-04-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132527
Time elapsed: 53 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

08:34:39 PM 9/1/2008
mbam-log-9-1-2008 (20-34-39).txt

Scan type: Quick Scan
Objects scanned: 39777
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

i'm not sure though what you mean by "rest of my guide on post #2" if you mean the showkey.bat when i ran it it gave me an "unable to find the specified registry key or value" so the text window it opened up was empty. the cccleaner i haven't done the "clean" yet as it says it will delete things like logs including the logs from scans so i wanted to hold off on that. as for the panda site, i didn't want to enter any information on here until i know it's clean because that info might be intercepted. i'm not sure how one deletes a host file.

0

Don't want to interfere here but
roguephoenix are you rebooting the computer AFTER the mbam scans? If you note the scan log says

Delete on reboot.

meaning you must reboot the computer for mbam to complete it's work on deleting the offending files. You must do this BEFORE running any other program like SmitFraudFix. I don't think that didn't put anything back, I think what happened is you didn't complete the process required with mbam before running the next program.

Plus I see you have not updated Malwarebytes'Anti-Malware which you should do each and everytime you run the program. The current version of the program itself is 1.26 and you are running version 1.24 and the data base you are showing is 1026 and the version available when you ran your first scans was 1101 and today's update brings it up to 1104.

0

any help is good help. the more people pitching in the better.

yes i reboot the computer just as the program wants. it's not like i have much of a choice. once you hit ok it will reboot it. one doesn't go through all that process and just hit cancel, i would hope. >_<

i will update my malwarebytes asap. still, it wouldn't explain why accessing web pages is such a chore for the web browser. it will either not load the page or take 10times longer than it usually does even though my connection speed, as the speed tests indicated, are at optimum.

0

I am not upset at all, rogue, not even exasperated, stuff just goes along, and we get there. That lil reg file I got you to run was to show me the contents of the key that MBAM was dealing with, and it coming up empty was just what I wanted to hear. tdss employs a rootkit, but once you know they are there they are easy to deal with; MBAM looks for it as part of its blacklist of files, finds it and then can delete it [on reboot... :)]. Unless they have unknown supporting files which can recreate the deleted files they are gone.
And thanks, judy, for popping in..... one of the problems with folks running scans themselves [not being pompous here, they are quite at liberty to do so] is that you tend to assume that they just dld it, fully updated it etc. I didn't know the current MBAM version or update number, not having requested its use for a couple of months or more.. .
Anyway, I did not really believe that tdss had reoccurred, and I did not have the log from the second run to check, so... thanks.
Slow dl of some webpages.... that can depend upon a few things, like your ISP's load, that of the net in general [it is getting clogged by folks swapping files, mainly stupid OffYouFace videos, and how busy the servers holding that page are. Try pinging a few sites that you know are far away. Daniweb drives me nuts with its slow dl of pages from time to time; when you are helping in various threads the dl of the same ad images every time you refresh pages is almost too much. I note that some [tech] sites dl the ads, pause for a while, then dl the post content. I hope that is not deliberate.
If your sys does have lingering ills then the clean and scan I recommende in post#3 will identify them for us. It is a very good online scan.

0

ok. i'm not sure what my next step is besides going for an update on malwarebytes. would that explain web pages loading super slow or not at all? i'm not home currently so i can't update and rescan just yet.

just want to know what my next step is. i still don't know what you mean by deleting host file.

0

Ah, no.. I did not intend for you to delete your actual hosts file, I just noted that in a log you had put a note mentioning that I had requested you to delete the list of hosts file entries - it was a VERY long list, a blacklist. Your hosts file is one created by an anit-spyware app, and is okay - what it does is reflect any attempt to contact any of those sites back into your machine ie to 127.0.0.1
I use Spywareblaster which employs a different method - it creates its blacklists in registry.
PS.. I edited my last post on page 1.

0

Slow dl of some webpages.... that can depend upon a few things, like your ISP's load, that of the net in general [it is getting clogged by folks swapping files, mainly stupid OffYouFace videos, and how busy the servers holding that page are. Try pinging a few sites that you know are far away. Daniweb drives me nuts with its slow dl of pages from time to time; when you are helping in various threads the dl of the same ad images every time you refresh pages is almost too much. I note that some [tech] sites dl the ads, pause for a while, then dl the post content. I hope that is not deliberate.
If your sys does have lingering ills then the clean and scan I recommende in post#3 will identify them for us. It is a very good online scan.

well as i previously posted, all sites download slow or not at all even sites that i visit daily or frequently. my isp speed is at optimum. i'm having no poblems downloading torrents. it's just the web sites that are slow to download or not at all. i mean i can understand some pages not loading or slow, but all the ones that i've tried? i've not encountered any problem like this before. even when my isp was having trouble and downloads and uploads were ground down to only a few kb i still had pages loading much faster. the only other time i had a problem accessing pages was when i previously had a virus infection such as this.

so i should proceed with cccleaner and erase all it says? and go ahead with registering for panda? just let me know. i'll do them when i get home and post results.

0

Yep, the default settings in the CCleaner tab are useful and safe, there is no need at this point to clean your registry. I just don't wish to see hundreds of your cookies as found by the Pandascan.

0

Just noticed two things in your HJT logs which also can interfere with attempted fixes by various programs and the key one is you are using Spybot Search & Destroy TeaTimer. TeaTimer detects when something wants to change some critical registry keys, which the Malwarebytes' Anti-malware and SmitFraudFix programs will do but if TeaTimer might not allow this so then the fix won't happen sometimes even if it shows it did.
To turn off TeaTimer open Spybot. At the top Click on Mode and choose Advanced Mode.
Then on the bottom left you should see three choices; Settings, Tools, Info & License.
Click on Tools. When that opens on the left side Click on Resident (the little icon looks like a shield) When that opens you will see two items, Resident SD Helper and Resident TeaTimer. Take the checkmark OUT of TeaTimer. Close the program. Don't turn TeaTimer back on when all this is done either, leave it off.

The other thing running which CAN slow the computer and is this, Ad-Aware 2007 (even the free version) installs its self as a "service" called aawservice.exe. This service loads with Windows and is on the system all the time whether or not Ad-Aware is being used to scan the computer. It also accounts for a hugh amount of RAM being used when it is loaded.
Frankly this newer version of AdAware is no where near the program AdAwareSE was and this added "service" is one of the reasons. My advice, uninstall the program. Stick with Spybot and Malwarebytes' Anti-Malware for scanning...as long as you keep both programs updated.
I also notice you are using Peerguardian 2, are you absolutely certain it is not blocking sites you do not want it to block?
You say;

accessing web pages is such a chore for the web browser. it will either not load the page or take 10times longer

On their web page they say the following;

This occurs because of the way PeerGuardian blocks packets, not connections. A work around is being developed

Now honestly I know nothing of file sharing, except it can be dangerous, and know only what I am reading right now about PeerGuardian but this possible could be part of the cause of your slow downs. For one thing PeerGuardian 2 is still a beta program, meaning it is still in TESTING it is not the final product as you see by their statement above...A Work around is still being developed for slow downs...use you own judgement but I avoid beta versions of programs.

0

I find Teatimer an interesting concept, Judy. If we can turn it off via a menu selection then surely any bit of script can do it also? Hijackthis and others of that ilk should be able to overcome it.. imo. Time was when it could not.... I may give it a test run.

0

here is the updated malwarebytes scan log

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/2/2008 09:40:43 PM
mbam-log-2008-09-02 (21-40-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130370
Time elapsed: 1 hour(s), 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page\Start Page (Hijack.Homepage) -> Bad: (http://lookanddiscover.com/) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\VIE409.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VIE40A.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

__________________________


now here is the panda scan log

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-02 23:29:28
PROTECTIONS: 2
MALWARE: 36
SUSPECTS: 7
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Antivirus Internet Security 2007 No Yes
Norton 360 7.2.2.3 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\User\Desktop\SmitfraudFix.exe[C:\Documents and Settings\User\Desktop\SmitfraudFix.exe][SmitfraudFix\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{9C1DA9AF-0670-4CC7-8C67-C265A71A70B8}\RP25\A0003485.exe
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.tradedoubler.com/]
00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.targetnet.com/]
00145433 Cookie/Mammamediasolutions TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.targetnet.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.fastclick.net/]
00145466 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[servedby.advertising.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.mediaplex.com/]
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.maxserving.com/]
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.maxserving.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.yadro.ru/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.ad.yieldmanager.com/]
00168101 Cookie/Falkag TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.as-us.falkag.net/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.advertising.com/]
00170540 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[de.uol.com.br/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.fortunecity.com/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.fortunecity.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.realmedia.com/]
00170557 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\drj6djku.slt\cookies.txt[.terra.com.br/]
00170559 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.uol.com.br/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.zedo.com/]
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.valueclick.com/]
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.valueclick.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No E:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\93ibmvu6.default\cookies.txt[.atwola.com/]
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe
01017021 Generic Trojan Virus/Trojan No 0 Yes No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323615.exe
01692679 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323877.exe
02215969 Adware/SaveNow Adware No 0 Yes No E:\Program Files\Crystal Player\Crystal.exe
02517863 Adware/SaveNow Adware No 0 Yes No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323501.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\d2d0dac7cf4b24b4234c7922e16038be.a2q[Documents and Settings/Owner/Local Settings/Temp/!update.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\e8365d8308088e63b6d9bd9858fea200.a2q[WINDOWS/NDNuninstall7_14.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\e5b63c7432ec6a692c5fa1961ab7f5fb.a2q[WINDOWS/poolsv.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\a76dd8963246709c13f2a797687f5cae.a2q[WINDOWS/system32/hxmxpxms.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\202abb749f9975efe52e21751e2c3d48.a2q[Documents and Settings/Owner/Desktop/Installers/qqvideo93.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\2ed7f299efac0d33e3a65fab997227e6.a2q[Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/OT6OOKM0/!update-4395[1].0000]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\3303458dcabc08967f47a25c3b587c7d.a2q[WINDOWS/system32/G3/wr620.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\4d7ffc85b5838a7d7b4a5a30c78680f5.a2q[Program Files/mIRC/mirc.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\4dc45a56ec82cedd5f885a24c21636a9.a2q[WINDOWS/system32/~fdgar.tmp]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\6cfab15a0f055ebfd83c009603fd7ace.a2q[WINDOWS/system32/~isdpt.tmp]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\879cabb3703679a1128c57ddfe3283ec.a2q[Torrents/Free Call v1.1/FreeCall.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\87afbb2708f639c28c278ec0f8c7e5b0.a2q[Program Files/Corel(R) Painter(TM) IX TBYB/Setup.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\9abcd867a312c2598c2aaf8180dcf06b.a2q[WINDOWS/dls0523pmw.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\Program Files\Ashampoo\Ashampoo AntiSpyWare\Quarantine\c5b554080829b36b6316e205928aaabe.a2q[WINDOWS/system32/odbvgie.dll]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323469.exe
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\SmitfraudFix.exe
03527319 Adware/RogueAntimalware2008 Adware No 0 No No C:\System Volume Information\_restore{9C1DA9AF-0670-4CC7-8C67-C265A71A70B8}\RP25\A0002453.rbf[C:\System Volume Information\_restore{9C1DA9AF-0670-4CC7-8C67-C265A71A70B8}\RP25\A0002453.rbf][s_kill.exe]
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
03541233 HackTool/Rebooter HackTools No 0 No No C:\Documents and Settings\User\Desktop\SmitfraudFix.exe[C:\Documents and Settings\User\Desktop\SmitfraudFix.exe][SmitfraudFix\Reboot.exe]
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{9C1DA9AF-0670-4CC7-8C67-C265A71A70B8}\RP25\A0003486.exe
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{9C1DA9AF-0670-4CC7-8C67-C265A71A70B8}\RP25\A0003447.exe
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
03571102 Adware/RogueAntimalware2008 Adware No 0 Yes No C:\WINDOWS\system32\pthreadVC2.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\User\My Documents\Azureus Downloads\Clone DVD + AnyDVD + Crack + Serial\AnyDVD\SetupAnyDVD2004.exe
No C:\Documents and Settings\User\My Documents\Azureus Downloads\Clone DVD + AnyDVD + Crack + Serial\Clone DVD\AnyDVD v2.0.0.4.rar[SetupAnyDVD2004.exe]
No E:\Program Files\Games\Virtual Villagers\VirtualVillagers.exe
No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323490.exe[E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323490.exe][data1.cab][airc.exe]
No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323617.exe
No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323852.exe
No E:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP993\A0323873.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170911 HIGH MS07-050
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141034 HIGH MS06-076
141033 MEDIUM MS06-075
141030 HIGH MS06-072
137571 HIGH MS06-070
137568 HIGH MS06-067
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
131654 HIGH MS06-055
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126083 HIGH MS06-042
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
120825 MEDIUM MS06-032
120823 MEDIUM MS06-030
120818 HIGH MS06-025
120815 HIGH MS06-022
120814 HIGH MS06-021
117384 MEDIUM MS06-018
114666 HIGH MS06-015
114664 HIGH MS06-013
108744 MEDIUM MS06-008
108743 MEDIUM MS06-007
108742 MEDIUM MS06-006
104567 HIGH MS06-002
104237 HIGH MS06-001
96574 HIGH MS05-053
93395 HIGH MS05-051
93394 HIGH MS05-050
93454 MEDIUM MS05-049
;===================================================================================================================================================================================

_________________________________

here is the new hijack scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:00, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8708 bytes


i also did the ccleaner thing. my internet is still the same. pages not loading or slow to load even though i've visited them often or daily prior without any problems. my internet connection is working optimally. so what's wrong? what's my next step?

0

hi. i've recently been infected with some malware but got that resolved i think. however, ever since, my web browsing hasn't been the same. i can't seem to get web pages to load as the used to. they would either take very very very long to load or not at all. these are sites that i visit on a daily basis but ever since sunday night i've not been able to get any page to load completely or at least fast.

i've checked my internet connection and it's working at optimum speed. i'm downloading tv show torrents that are downloading fine. and before you say that these torrents are interfering with web browsing, i've tried it with downloads going and not going and still the same. it shouldn't even be a problem as i used to be able to browse rather quickly even though downloads are going.

these are for all web pages, so i've thoroughly tested the problem on various web pages with various locations, distance, content, complexity, etc.

please help. i'm desperate to get my machine working the way it used to or supposed to. thanks.

here is my latest hijack scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:00, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8708 bytes

0

Heya, ya rogue....
Where CCleaner refers to cleaning logs it really means files of the type .log such as an installer or scanner might make to detail its progress and results of its operations - you only need to keep those if you wish to research why a pgm installation stuck repeatedly. Logs from the tools we run are generally filed as type .txt, and CCleaner will not touch those by default.
Panda is a reputable company with good scanners; they will only use your email to verify that you are not an organisation or scammer feeding off their goodwill, and to send you promotional stuff, but only if you indicate that you would be willing to receive such stuff.
Be brave.... I would not recommend them if I did not trust them.
Right, the latest MBAM log: I see you picked up another pest, but a benign one.
The Panda log... if you glance at it you will see why I asked you to run CCleaner first.... all those cookies. If you visited porn sites the world would now know it...
About 1/4 of the way down we come to the meat. And you are loaded.
A bit of preaching re cracks and keygens... we all know they are out there, but if you wish to use them you really must take the time to find out the groups who make CLEAN ones. Some do, it is their bit of sport, and when they make a kill they like to show it off. But if I was a software writer n got a bit annoyed by cracks on my gear I would put out my own, n they would teach folk who used them a bitter lesson. And that goes on, believe me.
Anyway, bad cracks etc with trojans on board are just going to keep calling in the pests. So we must get rid of them otherwise you cannot be cleaned.
==Please empty Ashampoo's Quarantine bin.
==You must clear all your system restore points because some have been infected.... you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
==Delete Virtumundobegone.exe
==Uninstall Crystal Player.
==Remove Smitfraudfix.
--These two files may be doing you in... did you run the cracks? If they are infected your host app will be a beacon for adware or worse. I notice that you did once have a backdoor trojan.
C:\Documents and Settings\User\My Documents\Azureus Downloads\Clone DVD .......SetupAnyDVD2004.exe
No C:\Documents and Settings\User\My Documents\Azureus Downloads\Clone DVD .... VD v2.0.0.4.rar[SetupAnyDVD2004.exe]
==Finally, please go to M$ Updates and do the job!! Anyone who does not update their sys with security updates deserves to be .... well, you may as well wave a red flag on the web.
You have near on 100 missing!
Oh yeah... and see if you can survive out there with only one active antispyware app. I went for ages with none, only have one now cos it is incorporated with my Avast AV. You can still run on-demand scans...

0

roguephoenix, did you read any of my last post? You still show TeaTimer running, this IS a known issue when trying to clean the computer because Teatimer interferes with anything (even a cleaner program) that is trying to modify the registry. and the recommendations are to turn it off. Many cleaner programs advise that all anti-spy and anti-virus programs be turned off when using that particular program and then turn them back on after that program has done it's job. This really isn't an unusual request. Many of these infections are configured so that they are NOT picked up by specific programs, especially those which are set up to remove them and "hiding behind" an anti-spy program is not unusual.
I also commented on Peerguardian 2. On numerous websites were complaints about it's blocking of various web sites that it previously did not block, it doesn't interfere with connection speed. This program uses preconfigured block lists but lists can also be configured manually. You need to check those lists.

I know Malwarebytes' did pick up something else and because of this my feeling is it is better to be safe than sorry and run one more program to be sure everything is gone.
Since you have narrowed down your time frame to Sunday night, let's try combofix
Please pay CLOSE attention to the instructions and FOLLOW THEM TO THE LETTER.

The first thing you should do is print out this guide as we will close all the open windows and programs, including your web browser, before starting the ComboFix program.
Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET

We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
and I would say ALSO DISABLE Peerguardian2

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.