Background Problem - Page 4

kzm007 · 07-21-2007

Script (once again) does not appear to be valid

Same as before it seems.

chiaz · 07-22-2007

That sure sucks.

1) Please download the Killbox instead.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\anArV8xa.exe
c:\windows\system32\ldr67B.tmp

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If this worked successfully, post a new Panda ActiveScan log.

kzm007 · 07-22-2007

Incident Status Location
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@belnk[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@casalemedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@casalemedia[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@counter.hitslink[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@errorsafe[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[3].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[4].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@klik.klikadvertisin g[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[3].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@server.iad.livepers on[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@sextracker[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@statcounter[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@statcounter[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@stats1.reliablestat s[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tribalfusion[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tucows[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.burstbeacon[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.errorsafe[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@zedo[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@zedo[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David\Cookies\david@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David\Cookies\david@ads.pointroll[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David\Cookies\david@ads.pointroll[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\David\Cookies\david@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David\Cookies\david@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\David\Cookies\david@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\David\Cookies\david@bluestreak[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@bs.serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@bs.serving-sys[3].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Cookies\david@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[4].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\David\Cookies\david@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David\Cookies\david@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\David\Cookies\david@drivecleaner[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\David\Cookies\david@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David\Cookies\david@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David\Cookies\david@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David\Cookies\david@questionmarket[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David\Cookies\david@questionmarket[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David\Cookies\david@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[4].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David\Cookies\david@stats1.reliablestats[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David\Cookies\david@stats1.reliablestats[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\David\Cookies\david@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David\Cookies\david@trafficmp[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David\Cookies\david@trafficmp[3].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David\Cookies\david@winantispyware[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David\Cookies\david@winantivirus[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\David\Cookies\david@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\David\Cookies\david@zedo[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[3].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[3].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt

kzm007 · 07-22-2007

I'm not sure if the trojan is gone because Spybot detected and deleted it (Activescan didn't detect it at all) but my 'Background' button is still greyed out so I can't change it at all.

chiaz · 07-22-2007

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

At the same time, copy all these to a Notepad file:
http://www.kellys-korner-xp.com/regs...aperenable.reg
Save it as wallpaperfix.reg. Then run it, as you did for FixMe.reg the previous time.

Let me know how it all goes, and don't forget to post the rapport.txt!

kzm007 · 07-22-2007

SmitFraudFix v2.206
Scan done at 23:39:13.21, Sat 07/21/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
C:\Documents and Settings\Owner\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

chiaz · 07-22-2007

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

07-22-2007	#24
kzm007 Bronze Member Join Date: Jul 2007 Posts: 27	Active Scan Incident Status Location Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@2o7[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@adrevolver[3].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ads.pointroll[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@atwola[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@belnk[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@bs.serving-sys[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@casalemedia[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@casalemedia[2].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@ccbill[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@com[1].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@counter.hitslink[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@dist.belnk[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@drivecleaner[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@errorsafe[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[3].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[4].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@klik.klikadvertisin g[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@mediaplex[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@realmedia[3].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@server.iad.livepers on[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@serving-sys[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@serving-sys[2].txt Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@sextracker[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@statcounter[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@statcounter[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@stats.drivecleaner[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@stats1.reliablestat s[2].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tradedoubler[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tribalfusion[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tribalfusion[2].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@tucows[2].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.burstbeacon[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.drivecleaner[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@www.errorsafe[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@yadro[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@zedo[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andrew\Cookies\andrew@zedo[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@247realmedia[2].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David\Cookies\david@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\David\Cookies\david@adrevolver[3].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David\Cookies\david@ads.pointroll[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\David\Cookies\david@ads.pointroll[3].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\David\Cookies\david@advertising[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[3].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\David\Cookies\david@atwola[1].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\David\Cookies\david@azjmp[1].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\David\Cookies\david@bluestreak[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@bs.serving-sys[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@bs.serving-sys[3].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Cookies\david@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\David\Cookies\david@casalemedia[4].txt Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\David\Cookies\david@citi.bridgetrack[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\David\Cookies\david@com[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\David\Cookies\david@drivecleaner[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\David\Cookies\david@fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David\Cookies\david@overture[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David\Cookies\david@overture[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David\Cookies\david@questionmarket[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\David\Cookies\david@questionmarket[3].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Cookies\david@realmedia[1].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David\Cookies\david@server.iad.liveperson[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\David\Cookies\david@serving-sys[4].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David\Cookies\david@stats1.reliablestats[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\David\Cookies\david@stats1.reliablestats[2].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\David\Cookies\david@tradedoubler[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David\Cookies\david@trafficmp[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David\Cookies\david@trafficmp[3].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David\Cookies\david@winantispyware[2].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\David\Cookies\david@winantivirus[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\David\Cookies\david@www.burstbeacon[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\David\Cookies\david@zedo[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[3].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[3].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt

07-22-2007	#25
kzm007 Bronze Member Join Date: Jul 2007 Posts: 27	trojan I'm not sure if the trojan is gone because Spybot detected and deleted it (Activescan didn't detect it at all) but my 'Background' button is still greyed out so I can't change it at all.

07-22-2007	#27
kzm007 Bronze Member Join Date: Jul 2007 Posts: 27	Rapport SmitFraudFix v2.206 Scan done at 23:39:13.21, Sat 07/21/2007 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data C:\Documents and Settings\Owner\Application Data\Install.dat FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport DNS Server Search Order: 192.168.1.1 DNS Server Search Order: 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{2953BD78-28B7-4EE5-8365-44B6B7644B0E}: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

07-22-2007	#28
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-21-2007	#22
kzm007 Bronze Member Join Date: Jul 2007 Posts: 27	Script (once again) does not appear to be valid Same as before it seems.

07-22-2007	#23
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	That sure sucks. 1) Please download the Killbox instead. Save it to the desktop and run it. 2) Select "Delete on Reboot", and then select "All files". 3) Copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\system32\scchk32.exe C:\WINDOWS\system32\anArV8xa.exe c:\windows\system32\ldr67B.tmp 4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". 5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If this worked successfully, post a new Panda ActiveScan log.